mirror of
https://github.com/laurent22/joplin.git
synced 2024-12-24 10:27:10 +02:00
Security: Ensure Markdown links that contain single quotes are correctly escaped
This commit is contained in:
parent
b328094033
commit
75256613cc
@ -12,6 +12,13 @@ describe('linkReplacement', () => {
|
||||
expect(r).toBe('<a data-from-md href=\'https://example.com/test\'>');
|
||||
});
|
||||
|
||||
test('should handle non-resource links with single quotes in it', () => {
|
||||
// Handles a link such as:
|
||||
// [Google](https://www.goo'onclick=javascript:alert(/1/);f=')
|
||||
const r = linkReplacement('https://www.goo\'onclick=javascript:alert(/1/);f=\'', { linkRenderingType: 1 }).html;
|
||||
expect(r).toBe('<a data-from-md href=\'https://www.goo'onclick=javascript:alert(/1/);f='\' onclick=\'postMessage("https://www.goo%27onclick=javascript:alert(/1/);f=%27", { resourceId: "" }); return false;\'>');
|
||||
});
|
||||
|
||||
test('should handle resource links - downloaded status', () => {
|
||||
const resourceId = 'f6afba55bdf74568ac94f8d1e3578d2c';
|
||||
|
||||
|
@ -122,7 +122,7 @@ export default function(href: string, options: Options = null): LinkReplacementR
|
||||
icon = '';
|
||||
attrHtml.push(`href='${htmlentities(href)}'`);
|
||||
} else {
|
||||
attrHtml.push(`href='${hrefAttr}'`);
|
||||
attrHtml.push(`href='${htmlentities(hrefAttr)}'`);
|
||||
if (js) attrHtml.push(js);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user