From 2cff85979be8e7a026a9aca35542c470cf5da523 Mon Sep 17 00:00:00 2001
From: Matt Austin <matt@m-austin.com>
Date: Tue, 19 May 2015 14:15:28 -0700
Subject: [PATCH] added explicit matching for HTML entities to prevent XSS

---
 lib/marked.js                  | 3 ++-
 test/tests/links.sanitize.html | 4 ++++
 test/tests/links.sanitize.text | 7 +++++++
 3 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 test/tests/links.sanitize.html
 create mode 100644 test/tests/links.sanitize.text

diff --git a/lib/marked.js b/lib/marked.js
index 0c2ac4b100..089369f003 100644
--- a/lib/marked.js
+++ b/lib/marked.js
@@ -1094,7 +1094,8 @@ function escape(html, encode) {
 }
 
 function unescape(html) {
-  return html.replace(/&([#\w]+);/g, function(_, n) {
+	// explicitly match decimal, hex, and named HTML entities 
+  return html.replace(/&(#(?:\d+)|(?:#x[0-9A-Fa-f]+)|(\w+))/g, function(_, n) {
     n = n.toLowerCase();
     if (n === 'colon') return ':';
     if (n.charAt(0) === '#') {
diff --git a/test/tests/links.sanitize.html b/test/tests/links.sanitize.html
new file mode 100644
index 0000000000..5a5a973589
--- /dev/null
+++ b/test/tests/links.sanitize.html
@@ -0,0 +1,4 @@
+<p></p>
+<p></p>
+<p></p>
+<p></p>
\ No newline at end of file
diff --git a/test/tests/links.sanitize.text b/test/tests/links.sanitize.text
new file mode 100644
index 0000000000..c2158fc82e
--- /dev/null
+++ b/test/tests/links.sanitize.text
@@ -0,0 +1,7 @@
+[URL](javascript:alert)
+
+[URL](vbscript:alert)
+
+[URL](javascript&colon;alert&#40;1&#41;)
+
+[URL](javascript&#58document;alert&#40;1&#41;)
\ No newline at end of file