-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sanitize hardening #1504
Sanitize hardening #1504
Changes from all commits
6b4d792
08389db
506704a
0c38172
73ad658
44da69e
0e8d8f4
63fd313
b78e498
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -434,7 +434,7 @@ Lexer.prototype.token = function(src, top) { | |
: 'html', | ||
pre: !this.options.sanitizer | ||
&& (cap[1] === 'pre' || cap[1] === 'script' || cap[1] === 'style'), | ||
text: cap[0] | ||
text: this.options.sanitize ? (this.options.sanitizer ? this.options.sanitizer(cap[0]) : escape(cap[0])) : cap[0] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This will be a semantic change for anyone using this feature, right? Same comment on the similar line below. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yep, for example if their code allowed XSS then now it won't. 😉 There are no test cases on how the sanitizer should work, so basically any previous change could change this feature also. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What I mean is, if anyone is currently invoking marked with the sanitize option, the output may change if we land this PR.
As a result I'm not sure how to semver this. |
||
}); | ||
continue; | ||
} | ||
|
@@ -847,7 +847,7 @@ InlineLexer.prototype.output = function(src) { | |
if (cap = this.rules.text.exec(src)) { | ||
src = src.substring(cap[0].length); | ||
if (this.inRawBlock) { | ||
out += this.renderer.text(cap[0]); | ||
out += this.renderer.text(this.options.sanitize ? (this.options.sanitizer ? this.options.sanitizer(cap[0]) : escape(cap[0])) : cap[0]); | ||
} else { | ||
out += this.renderer.text(escape(this.smartypants(cap[0]))); | ||
} | ||
|
@@ -1536,6 +1536,12 @@ function findClosingBracket(str, b) { | |
return -1; | ||
} | ||
|
||
function checkSanitizeDeprecation(opt) { | ||
if (opt && opt.sanitize && !opt.silent) { | ||
console.warn('marked(): sanitize and sanitizer parameters are deprecated since version 0.7.0, should not be used and will be removed in the future. Read more here: https://marked.js.org/#/USING_ADVANCED.md#options'); | ||
} | ||
} | ||
|
||
/** | ||
* Marked | ||
*/ | ||
|
@@ -1557,6 +1563,7 @@ function marked(src, opt, callback) { | |
} | ||
|
||
opt = merge({}, marked.defaults, opt || {}); | ||
checkSanitizeDeprecation(opt); | ||
|
||
var highlight = opt.highlight, | ||
tokens, | ||
|
@@ -1621,6 +1628,7 @@ function marked(src, opt, callback) { | |
} | ||
try { | ||
if (opt) opt = merge({}, marked.defaults, opt); | ||
checkSanitizeDeprecation(opt); | ||
return Parser.parse(Lexer.lex(src, opt), opt); | ||
} catch (e) { | ||
e.message += '\nPlease report this to https://github.com/markedjs/marked.'; | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
<p>AAA<script> <img <script> src=x onerror=alert(1) />BBB</p> | ||
|
||
<p>AAA<sometag> <img <sometag> src=x onerror=alert(1)BBB</p> | ||
|
||
<p><a>a2<a2t>a2</a> b <c>c</c> d</p> | ||
<h1 id="text"><img src="URL" alt="text"></h1> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
--- | ||
sanitize: true | ||
--- | ||
AAA<script> <img <script> src=x onerror=alert(1) />BBB | ||
|
||
AAA<sometag> <img <sometag> src=x onerror=alert(1)BBB | ||
|
||
<a>a2<a2t>a2</a> b <c>c</c> d | ||
# ![text](URL) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
<p>a2a2 b c d</p> | ||
<h1 id="text"><img src="URL" alt="text"></h1> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
--- | ||
sanitize: true | ||
sanitizer: () => '' | ||
--- | ||
<a>a2<a2t>a2</a> b <c>c</c> d | ||
# ![text](URL) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
<p>AAA</p> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
--- | ||
sanitize: true | ||
sanitizer: () => '' | ||
--- | ||
AAA<script> <img <script> src=x onerror=alert(1) />BBB |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
<p>AAA <img src=x onerror=alert(1)BBB</p> |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
--- | ||
sanitize: true | ||
sanitizer: () => '' | ||
--- | ||
AAA<sometag> <img <sometag> src=x onerror=alert(1)BBB |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we have this list in one place and just link to it. I feel like it will be hard to keep these lists in sync if we ever have to update them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any suggestion where would you like to put that list exactly? It's your project afterall and I feel like this is the point where this change has nothing to do with the security fix.
Also there are already two README.mds (
/README.md
and/docs/README.md
) with similar content, so you have to keep those in sync too...There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@koczkatamas: Thank you so much for this!
@styfle: Where would the best place be to store this list? Thinking it would be a nice list for users moving forward as we are planning to get out of the sanitizer business and working looking for things like this anyway. (I have a note to catch up on what I've missed with all the weirdness of life soon.)