Skip to content

Commit

Permalink
fix: disallow ascii control characters in URLs
Browse files Browse the repository at this point in the history
  • Loading branch information
dominykas committed May 14, 2019
1 parent 1c5b5b7 commit 371f29c
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
3 changes: 2 additions & 1 deletion lib/helpers/parse_link_destination.js
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,8 @@ module.exports = function parseLinkDestination(state, pos) {

if (code === 0x20) { break; }

if (code > 0x08 && code < 0x0e) { break; }
// ascii control chars
if (code < 0x20 || code === 0x7F) { break; }

if (code === 0x5C /* \ */ && pos + 1 < max) {
pos += 2;
Expand Down
8 changes: 8 additions & 0 deletions test/fixtures/commonmark/good.txt
Original file line number Diff line number Diff line change
Expand Up @@ -5546,3 +5546,11 @@ Multiple spaces
<p>Multiple spaces</p>
.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src line: 5550

.
[xss](javascript:alert(1))
.
<p>[xss](javascript:alert(1))</p>
.

0 comments on commit 371f29c

Please sign in to comment.