Skip to content

Commit

Permalink
escape non-mangled xss
Browse files Browse the repository at this point in the history
fixes #926
  • Loading branch information
UziTech committed Dec 23, 2017
1 parent 6d1901f commit cb72584
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 2 deletions.
6 changes: 4 additions & 2 deletions lib/marked.js
Original file line number Diff line number Diff line change
Expand Up @@ -574,9 +574,11 @@ InlineLexer.prototype.output = function(src) {
if (cap = this.rules.autolink.exec(src)) {
src = src.substring(cap[0].length);
if (cap[2] === '@') {
text = cap[1].charAt(6) === ':'
text = escape(
cap[1].charAt(6) === ':'
? this.mangle(cap[1].substring(7))
: this.mangle(cap[1]);
: this.mangle(cap[1])
);
href = this.mangle('mailto:') + text;
} else {
text = escape(cap[1]);
Expand Down
3 changes: 3 additions & 0 deletions test/tests/mangle_xss.sanatize.nomangle.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<p><a href="mailto:&lt;svg/onload=&quot;alert(1)&quot;//@x">&lt;svg/onload=&quot;alert(1)&quot;//@x</a></p>

<p><a href="mailto:bar&quot;onclick=&quot;alert(&#39;XSS&#39;)&quot;@foo">bar&quot;onclick=&quot;alert(&#39;XSS&#39;)&quot;@foo</a></p>
3 changes: 3 additions & 0 deletions test/tests/mangle_xss.sanatize.nomangle.text
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<<svg/onload="alert(1)"//@x>

<bar"onclick="alert('XSS')"@foo>

0 comments on commit cb72584

Please sign in to comment.