codewalker/marked
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
1,227 Commits 1 Branch 191 Tags
Commit Graph

497 Commits

Author SHA1 Message Date
Jamie Davis
5ab4ae3649 security: replace vulnerable regex with parser (#1223) 
* security: replace vulnerable regex with parser

Problem: link regex was vulnerable
Solution: dedicated parser

Fixes: #1222
 2018-04-16 20:21:12 -04:00
Jamie Davis
f052a2c04e security: fix unsafe heading regex 
Problem:
REDOS could be triggered through exploitation of the 'heading' regex.

Solution:
Refactor regex. It matches the same language as before but
is less vulnerable to REDOS.
It is now safe using the bounds suggested by those disclosing it.
It remains super-linear but a successful exploit requires
a much longer attack string.

Fixes:
Issue disclosed privately.

Credit:
This issue was pointed out by
Nick Starke and Adam Cazzolla of Sonatype Security research.
 2018-04-15 22:20:15 -04:00
Tony Brix
4e52c427c6 Merge branch 'master' into pr/1135 2018-04-10 10:10:29 -05:00
Tony Brix
17b231d484 return defaults 2018-04-10 08:28:40 -05:00
Tony Brix
b858452c9c use getDefaults 2018-04-10 07:53:59 -05:00
Tony Brix
ae8f612de5 add marked.origDefaults 2018-04-09 23:19:04 -05:00
Federico Soave
bc7c9dbfb3 do not allow newlines inside html attributes, make cm test 60 pass 2018-04-10 01:16:14 +02:00
Federico Soave
b738cd649c Merge remote-tracking branch 'markedjs/master' into cm_links 2018-04-09 20:43:54 +02:00
Tony Brix
81e01d4faf add more edge cases 2018-04-05 09:34:03 -05:00
Tony Brix
60c2dc4f2c fix inline.em 2018-04-05 09:34:02 -05:00
Tony Brix
a19e2b631a
use default options in Renderer by default 2018-04-04 14:30:42 -05:00
Josh Bruce
8804676f98 Disable heading IDs (#1190) 
* Add option to disable heading ids
* Alphabetize and add options to docs
 2018-04-03 15:10:26 -04:00
Paul Roub
f69a82f7bc Remove redundant cast 2018-03-21 09:23:13 -04:00
Paul Roub
697af11e53 Added integration tests for explicitly-initialized ordered lists. 
Fixed a bug in the initial implementation of ordered-list
initialization.

Add a simpler unit test around starting-from-zero.
 2018-03-20 17:03:11 -04:00
Paul Roub
6b4f2ffa10 Start ordered lists using the initial numbers from markdown lists 
Adds tests for list creation and continuation when starting with a
number other than 1.

Emits 'start' attribute only when necessary; simple cases behave as
always.
 2018-03-15 12:56:59 -04:00
Federico Soave
9cb1900de7 fix backtracking vulnerability in block.pedantic.html as in #1083 2018-03-08 20:55:35 +01:00
Federico Soave
680a6c3c32 Merge remote-tracking branch 'markedjs/master' into cm_links 2018-03-08 19:36:17 +01:00
Federico Soave
c398550341 do not allow control characters in link destinations, per commonmark 2018-03-06 04:37:02 +01:00
Federico Soave
f7d4d21c0f update the list of markdown escapes, per commonmark 2018-03-06 04:35:01 +01:00
Federico Soave
209dff15ef add collapsed reference [links][] = [links][links] 2018-03-06 04:00:14 +01:00
Federico Soave
8594a066bb link labels must have at least one non-whitespace character 2018-03-06 03:54:19 +01:00
Federico Soave
f584acaaee do not process escapes in link labels 2018-03-06 03:48:31 +01:00
Federico Soave
b9394a0ec8 BREAKING CHANGE: space is no longer allowed between [link text] and [link label] in reference links. 
The old behavior is now available in the pedantic mode.
To comply with commonmark: http://spec.commonmark.org/0.28/#example-514
 2018-03-06 03:36:34 +01:00
Federico Soave
22b06cc36b perform space normalization when storing link reference labels 2018-03-06 03:20:28 +01:00
Federico Soave
f21a4d64c4 Revert eb95a71 "[commonmark] BREAKING CHANGE: link nesting is not allowed. If multiple links are nested, the innermost one is used." 
I don't like the cm rule for nested links.
NON-COMPLIANT with commonmark.
 2018-03-06 02:51:03 +01:00
Federico Soave
5b135c3945 lint marked.js 2018-03-06 02:46:15 +01:00
Federico Soave
ef3516ce60 !fixup eb95a71 2018-03-06 02:45:48 +01:00
Federico Soave
eb95a718a4 [commonmark] BREAKING CHANGE: link nesting is not allowed. If multiple links are nested, the innermost one is used. 2018-03-06 02:35:19 +01:00
Federico Soave
8877ff7adf [refactor] rename rule inside -> label 2018-03-06 00:40:50 +01:00
Federico Soave
47365c124e allow brackets in link text if they are inside a code span. Add test. 2018-03-06 00:40:07 +01:00
Federico Soave
271d35705a [security] fix possible ReDOS vulnerable regex rule by refactoring (doesn't change the alphabet) 2018-03-06 00:17:16 +01:00
Federico Soave
3afc360cf9 allow link titles to be wrapped in parenthesis 2018-03-06 00:02:40 +01:00
Federico Soave
d8ff951f8b allow unbalanced parenthesis in links URIs wrapped in angle brackets 2018-03-05 23:33:30 +01:00
Federico Soave
9f20c46829 allow ONE level of matching parenthesis in links. 
NON-COMPLIANT with commonmark!
adjust test #468 accordingly.
 2018-03-05 23:21:52 +01:00
Federico Soave
fc17a2c4ad allow backslash-escapes in link text, href, title and link definition references. 
InlineLexer.escapes() handles markdown escapes sequences.
TODO handle escapes everywhere in the document.
 2018-03-05 23:12:52 +01:00
Federico Soave
e66f7aa7b9 don't allow spaces in link URIs 2018-03-05 22:15:50 +01:00
Federico Soave
3be817b0e7 save current link parsing in pedantic mode 2018-03-05 22:10:49 +01:00
Federico Soave
821e2dafd4 allow matched double quotes in link definition title only in pedantic mode 2018-03-05 22:10:49 +01:00
Federico Soave
bf9c9c50bf Revert fac31ed "allow matched double quotes in link definition title (markdown.pl behavior)." 2018-03-05 22:10:49 +01:00
Federico Soave
d2cef5abc9 escape html entities in link/image href 2018-03-05 22:10:49 +01:00
Federico Soave
de66018d67 encode urls with %xx entities 2018-03-05 22:10:48 +01:00
Federico Soave
d08039e1f2 new rule for html blocks, to comply with commonmark. 
BREAKING CHANGE: inline markdown is not parsed inside html blocks.
 2018-03-04 16:23:38 +01:00
Federico Soave
56972f82a4 save the current html block parsing in the pedantic mode 2018-03-04 16:12:22 +01:00
Federico Soave
1b8ca2bee0 option pedantic overrides gfm, and turns off gfm, tables and breaks. 
FIXME update README
 2018-03-04 16:03:17 +01:00
Federico Soave
8e30cd2e51 !fixup b2611c1b05 
Disallow colons in tag names
 2018-03-04 03:40:23 +01:00
Federico Soave
4de3c98282 refactor html block rule 2018-03-04 03:00:37 +01:00
Federico Soave
27d4da6d38 refactor tag inline rule 2018-03-04 03:00:34 +01:00
Federico Soave
f2ebd4310a allow a regex source string as a parameter for edit() 2018-03-04 03:00:11 +01:00
Federico Soave
b2611c1b05 allow colons in tag names and attributes. Decrease group depth in regex 2018-03-04 02:54:19 +01:00
Federico Soave
652ba97a2c new html comment rule to comply with commonmark (html5). 
non-compliant: allow `--` inside html comments.
adjust inline tag rule accordingly.
 2018-03-04 02:52:33 +01:00