-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Thanks to @tivie 's article, found that this extension did not filter XSS attacks that were created using markdown syntax. Fix was to have this extension be an 'output' type extension, so that it ran after the markdown was rendered against the final HTML. This fixes #4.
- Loading branch information
1 parent
3a4cada
commit 154d5cc
Showing
3 changed files
with
44 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
var expect = require('expect.js'), | ||
filter = require('../showdown-xss-filter'), | ||
showdown = require('showdown'); | ||
|
||
// tests to ensure resolved issues are not re-introduced | ||
describe('issues', function() { | ||
|
||
// https://github.com/VisionistInc/showdown-xss-filter/issues/4 | ||
describe('#4: filters html generated by showdown rendering html', function() { | ||
|
||
var converter; | ||
|
||
beforeEach(function(done) { | ||
converter = new showdown.Converter({extensions: [filter]}); | ||
done(); | ||
}); | ||
|
||
it("filters XSS attacks in markdown links", function(done) { | ||
var markdown = "[test](javascript:alert('xss'))"; | ||
var converted = converter.makeHtml(markdown); | ||
|
||
expect(converted).to.eql('<p><a href>test</a></p>'); | ||
done(); | ||
}); | ||
|
||
it("properly filters mixed markdown/html attack using blockquotes", function(done) { | ||
var markdown = '> hello <a name="n"\n> href="javascript:alert(\'xss\')">*you*</a>'; | ||
var converted = converter.makeHtml(markdown); | ||
|
||
expect(converted).to.eql('<blockquote>\n <p>hello <a href><em>you</em></a></p>\n</blockquote>'); | ||
done(); | ||
}); | ||
}); | ||
}); |