codewalker/marked
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Merge pull request #1515 from UziTech/link-label-security

Browse Source 
Link label security
This commit is contained in:
Tony Brix 2019-07-04 09:55:33 -05:00 committed by GitHub
commit 0ee3aa988b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 20 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/marked.js
View File

@ -542,7 +542,7 @@ var inline = {
+ '|^<\\?[\\s\\S]*?\\?>' // processing instruction, e.g. <?php ?>
+ '|^<![a-zA-Z]+\\s[\\s\\S]*?>' // declaration, e.g. <!DOCTYPE html>
+ '|^<!\\[CDATA\\[[\\s\\S]*?\\]\\]>', // CDATA section
link: /^!?\[(label)\]\(href(?:\s+(title))?\s*\)/,
link: /^!?\[(label)\]\(\s*(href)(?:\s+(title))?\s*\)/,
reflink: /^!?\[(label)\]\[(?!\s*\])((?:\\[\[\]]?|[^\[\]\\])+)\]/,
nolink: /^!?\[(?!\s*\])((?:\[[^\[\]]*\]|\\[\[\]]|[^\[\]])*)\](?:\[\])?/,
strong: /^__([^\s_])__(?!_)|^\*\*([^\s*])\*\*(?!\*)|^__([^\s][\s\S]*?[^\s])__(?!_)|^\*\*([^\s][\s\S]*?[^\s])\*\*(?!\*)/,
@ -574,8 +574,8 @@ inline.tag = edit(inline.tag)
.replace('attribute', inline._attribute)
.getRegex();
inline._label = /(?:\[[^\[\]]*\]|\\[\[\]]?|`[^`]*`|`(?!`)|[^\[\]\\`])*?/;
inline._href = /\s*(<(?:\\[<>]?|[^\s<>\\])*>|[^\s\x00-\x1f]*)/;
inline._label = /(?:\[[^\[\]]*\]|\\.|`[^`]*`|[^\[\]\\`])*?/;
inline._href = /<(?:\\[<>]?|[^\s<>\\])*>|[^\s\x00-\x1f]*/;
inline._title = /"(?:\\"?|[^"\\])*"|'(?:\\'?|[^'\\])*'|\((?:\\\)?|[^)\\])*\)/;
inline.link = edit(inline.link)

9
test/specs/commonmark/commonmark.0.29.json
View File

@ -2775,8 +2775,7 @@
"example": 342,
"start_line": 6012,
"end_line": 6016,
"section": "Code spans",
"shouldFail": true
"section": "Code spans"
},
{
"markdown": "`<a href=\"`\">`\n",
@ -4266,8 +4265,7 @@
"example": 521,
"start_line": 7887,
"end_line": 7891,
"section": "Links",
"shouldFail": true
"section": "Links"
},
{
"markdown": "[foo<http://example.com/?search=](uri)>\n",
@ -4368,8 +4366,7 @@
"example": 533,
"start_line": 8041,
"end_line": 8047,
"section": "Links",
"shouldFail": true
"section": "Links"
},
{
"markdown": "[foo<http://example.com/?search=][ref]>\n\n[ref]: /uri\n",

9
test/specs/gfm/commonmark.0.29.json
View File

@ -2775,8 +2775,7 @@
"example": 342,
"start_line": 6012,
"end_line": 6016,
"section": "Code spans",
"shouldFail": true
"section": "Code spans"
},
{
"markdown": "`<a href=\"`\">`\n",
@ -4266,8 +4265,7 @@
"example": 521,
"start_line": 7887,
"end_line": 7891,
"section": "Links",
"shouldFail": true
"section": "Links"
},
{
"markdown": "[foo<http://example.com/?search=](uri)>\n",
@ -4368,8 +4366,7 @@
"example": 533,
"start_line": 8041,
"end_line": 8047,
"section": "Links",
"shouldFail": true
"section": "Links"
},
{
"markdown": "[foo<http://example.com/?search=][ref]>\n\n[ref]: /uri\n",

2
test/specs/new/nested_square_link.md
View File

@ -1,3 +1,3 @@
[the `]` character](/url)
[the ` character](/url)
[the \` character](/url)

1
test/specs/redos/link_code.html Normal file
View File

@ -0,0 +1 @@
<p>INDEX(string, pattern[, start)<code>: searches for the first occurrence of pattern in string, starting from start:</code>INDEX(&quot;123123&quot;, &quot;23&quot;, 3)<code>==</code>5<code></code>INSERT(new, old[, start][, length][, pad])<code>: inserts the new string into the old string after the specified position (default is 0), new string is truncated or padded (default is &quot; &quot;) to the specified length, if start is beyond the end of old old will be padded</code>LASTPOS(pattern, string[, start])<code>: searches backwards for the last occurrence of pattern in string, starting from start:</code>LASTPOS(&quot;123123&quot;, &quot;23&quot;, 4)<code>==</code>2<code></code>LINES(file)<code>: returns the number of lines typed ahead at the interactive stream:</code>push(&quot;a line&quot;); push(&quot;second line&quot;); lines(STDIN); /* == 2 */<code></code>MAX(number, number[, number,...])<code>: obvious</code>MIN(number, number[, number,...])<code>: obvious</code>OPEN(filehandle, filename[, &quot;APPEND&quot;|&quot;READ&quot;|&quot;WRITE&quot;])<code>: opens file, returns boolean for success:</code>OPEN(&quot;MyCon&quot;, &quot;CON:160/50/320/100/MyCon/CDS&quot;)<code>==</code>1<code></code>OVERLAY(new, old[, start][, length][, pad])<code>: overlays new string onto old one at start for length chars padding with pad if necessary:</code>OVERLAY(&quot;4&quot;, &quot;123&quot;, 5, 5)<code>==</code>&quot;123-4----&quot;<code></code>POS(pattern, string[, start])` : same as index</p>

9
test/specs/redos/link_code.md Normal file
View File

@ -0,0 +1,9 @@
INDEX(string, pattern[, start)` : searches for the first occurrence of pattern in string, starting from start: `INDEX("123123", "23", 3)` == `5`
`INSERT(new, old[, start][, length][, pad])` : inserts the new string into the old string after the specified position (default is 0), new string is truncated or padded (default is " ") to the specified length, if start is beyond the end of old old will be padded
`LASTPOS(pattern, string[, start])` : searches backwards for the last occurrence of pattern in string, starting from start: `LASTPOS("123123", "23", 4)` == `2`
`LINES(file)` : returns the number of lines typed ahead at the interactive stream: `push("a line"); push("second line"); lines(STDIN); /* == 2 */`
`MAX(number, number[, number,...])` : obvious
`MIN(number, number[, number,...])` : obvious
`OPEN(filehandle, filename[, "APPEND"|"READ"|"WRITE"])` : opens file, returns boolean for success: `OPEN("MyCon", "CON:160/50/320/100/MyCon/CDS")` == `1`
`OVERLAY(new, old[, start][, length][, pad])` : overlays new string onto old one at start for length chars padding with pad if necessary: `OVERLAY("4", "123", 5, 5)` == `"123-4----"`
`POS(pattern, string[, start])` : same as index