diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-29 04:24:24 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-29 04:24:24 +0000 |
commit | 12e8343068b906f8b2afddc5569968a8a91fa5b0 (patch) | |
tree | 75cc5e05a4392ea0292251898f992a15a16b172b /tests/test_port/fixtures/xss.md | |
parent | Initial commit. (diff) | |
download | markdown-it-py-12e8343068b906f8b2afddc5569968a8a91fa5b0.tar.xz markdown-it-py-12e8343068b906f8b2afddc5569968a8a91fa5b0.zip |
Adding upstream version 2.1.0.upstream/2.1.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | tests/test_port/fixtures/xss.md | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/tests/test_port/fixtures/xss.md b/tests/test_port/fixtures/xss.md new file mode 100644 index 0000000..7c0512e --- /dev/null +++ b/tests/test_port/fixtures/xss.md @@ -0,0 +1,128 @@ +. +[normal link](javascript) +. +<p><a href="javascript">normal link</a></p> +. + + +Should not allow some protocols in links and images +. +[xss link](javascript:alert(1)) + +[xss link](JAVASCRIPT:alert(1)) + +[xss link](vbscript:alert(1)) + +[xss link](VBSCRIPT:alert(1)) + +[xss link](file:///123) +. +<p>[xss link](javascript:alert(1))</p> +<p>[xss link](JAVASCRIPT:alert(1))</p> +<p>[xss link](vbscript:alert(1))</p> +<p>[xss link](VBSCRIPT:alert(1))</p> +<p>[xss link](file:///123)</p> +. + + +. +[xss link]("><script>alert("xss")</script>) + +[xss link](Javascript:alert(1)) + +[xss link](&#74;avascript:alert(1)) + +[xss link](\Javascript:alert(1)) +. +<p><a href="%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E">xss link</a></p> +<p>[xss link](Javascript:alert(1))</p> +<p><a href="&#74;avascript:alert(1)">xss link</a></p> +<p><a href="&#74;avascript:alert(1)">xss link</a></p> +. + +. +[xss link](<javascript:alert(1)>) +. +<p>[xss link](<javascript:alert(1)>)</p> +. + +. +[xss link](javascript:alert(1)) +. +<p>[xss link](javascript:alert(1))</p> +. + + +Should not allow data-uri except some whitelisted mimes +. +![](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7) +. +<p><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt=""></p> +. + +. +[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K) +. +<p>[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)</p> +. + +. +[normal link](/javascript:link) +. +<p><a href="/javascript:link">normal link</a></p> +. + + +Image parser use the same code base as link. +. +![xss link](javascript:alert(1)) +. +<p>![xss link](javascript:alert(1))</p> +. + + +Autolinks +. +<javascript:alert(1)> + +<javascript:alert(1)> +. +<p><javascript:alert(1)></p> +<p><javascript:alert(1)></p> +. + + +Linkifier +. +javascript:alert(1) + +javascript:alert(1) +. +<p>javascript:alert(1)</p> +<p>javascript:alert(1)</p> +. + + +References +. +[test]: javascript:alert(1) +. +<p>[test]: javascript:alert(1)</p> +. + + +Make sure we decode entities before split: +. +```js custom-class +test1 +``` + +```jscustom-class +test2 +``` +. +<pre><code class="js">test1 +</code></pre> +<pre><code class="js">test2 +</code></pre> +. |