1
0
mirror of https://github.com/danog/blackfriday.git synced 2024-12-02 09:27:49 +01:00
Commit Graph

400 Commits

Author SHA1 Message Date
Martin Probst
f9b7593e65 fix: Handle all different token types that the parser can emit (d'oh). 2014-05-01 20:55:53 +02:00
Vytautas Šaltenis
60ba757eaa Merge branch 'gihnius-master' 2014-05-01 21:46:51 +03:00
Vytautas Šaltenis
3dba5bc56e Merge branch 'master' of github.com:gihnius/blackfriday into gihnius-master
Conflicts:
	html.go
	inline_test.go
2014-05-01 21:43:42 +03:00
Vytautas Šaltenis
b44be78459 Allow rel attribute in sanitizer
Fixes issue #68.
2014-05-01 20:49:49 +03:00
Vytautas Šaltenis
b54984b711 Merge pull request #69 from mprobst/master
Use go.net/html's parser to sanitize HTML.
2014-05-01 20:47:17 +03:00
Martin Probst
41251715ad Use go.net/html's parser to sanitize HTML.
Use an HTML5 compliant parser that interprets HTML as a browser would to parse
the Markdown result and then sanitize based on the result.
Escape unrecognized and disallowed HTML in the result.
Currently works with a hard coded whitelist of safe HTML tags and attributes.
2014-04-27 23:40:44 +02:00
Vytautas Šaltenis
3ca168f879 Merge pull request #64 from willnix/master
Add table tags to the whitelist.
2014-04-20 23:15:54 +03:00
willnix
be9cbc634a tagWhitelist allows alignment attribute now
This is the closest I could get to removing everything "unsave" without introducing an additional regex.
2014-04-19 21:59:04 +00:00
willnix
c1e4996787 Add table tags to the whitelist.
Fixing:
55cd82008e

This commit introduced a html tag whitelist which does not include any table tags (<td>,<tr>,<thead>...). Therefore even tables the markdown parser itself generated will be removed.
2014-04-17 15:44:40 +00:00
Vytautas Šaltenis
9c7cf8b1b7 Merge pull request #61 from shurcooL/feature/dont-expand-tabs-inside-fenced-code-blocks
Don't expand tabs inside fenced code blocks.
2014-04-13 10:56:02 +03:00
Dmitri Shuralyov
ad246ef7a5 Don't expand tabs inside fenced code blocks.
Still do normalize newlines inside fenced code blocks.
2014-04-12 14:45:25 -07:00
Vytautas Šaltenis
5bcdd5eb7f Merge pull request #60 from shurcooL/fix/fenced-code-block-extra-newline
Fix for potential extra newline added inside fenced code blocks.
2014-04-12 21:58:08 +03:00
Dmitri Shuralyov
8df342acd5 Fix bug where newlines were inserted inside fenced code blocks.
Change firstPass() code that checks for fenced code blocks to check all
of them and properly keep track of lastFencedCodeBlockEnd.
This way, it won't misinterpret the end of a fenced code block as a
beginning of a new one.
2014-04-11 21:27:28 -07:00
Dmitri Shuralyov
ef2a2b02dc Add failing test for an issue introduced by PR #56.
The issue is that when there are more than 1 fenced code blocks with a
blank line before and after, the parser introduces a single extra new
line to all the fenced code blocks except the last one.
2014-04-11 19:54:55 -07:00
Vytautas Šaltenis
c5ece173ad Merge pull request #59 from johnsto/master
Header ID specifiers
2014-04-11 21:31:27 +03:00
Vytautas Šaltenis
1fd57a277b Merge pull request #56 from muhqu/issue/45
Fix for Fenced Code Blocks without a blank line before
2014-04-08 13:00:13 +03:00
Mathias Leppich
cb288d6b5d Revert "add an infinity-loop detection to block-level parsing"
This reverts commit 0c62e28e90.
2014-04-08 11:51:17 +02:00
Dave Johnston
924064f3f7 Also support header IDs in ## headers ## 2014-04-06 10:30:40 +01:00
Dave Johnston
7ad5f9c119 Correctly emit trailing header ID brace 2014-04-05 20:59:03 +01:00
Dave Johnston
cf01a94556 Add Header IDs to default extensions 2014-04-05 20:45:57 +01:00
Dave Johnston
2dff0864f0 Add header ID support and tests: # Header {#myid} 2014-04-05 20:42:58 +01:00
Vytautas Šaltenis
78dbffcfb7 Merge pull request #58 from aspic/master
Explicit return byte array at end of function.
2014-04-05 21:48:09 +03:00
Kjetil Mehl
786aed6213 Explicit return byte array at end of function. 2014-04-05 16:59:28 +02:00
Mathias Leppich
17ca261449 optimisation: only fix fenced code blocks if the extensions parser flag is set... ;-) 2014-04-01 23:20:18 +02:00
Mathias Leppich
093273323a out-comment stderr debug output 2014-03-30 22:40:43 +02:00
Mathias Leppich
ec90dd0fc4 add some stderr output to reference stress tests 2014-03-30 22:40:43 +02:00
Mathias Leppich
cd3fa08cb1 fix issue #45: 'Fenced Code Blocks without a blank line before'
Add missing newline between paragraph and fenced code block within `firstPass()`.
2014-03-30 22:40:43 +02:00
Mathias Leppich
a4274bba51 add error message when panic has been raised within doTestsBlock() 2014-03-30 22:40:43 +02:00
Mathias Leppich
0c62e28e90 add an infinity-loop detection to block-level parsing 2014-03-30 22:40:43 +02:00
Mathias Leppich
d4c367a949 add test cases for issue #45 2014-03-30 22:40:43 +02:00
Vytautas Šaltenis
55bb56bf9b Merge pull request #55 from rtfb/master
Autolink fixes
2014-03-30 19:58:39 +03:00
Vytautas Šaltenis
d643453f1e Merge pull request #50 from rtfb/master
Better protection against JavaScript injection
2014-03-30 19:52:13 +03:00
gihnius
c9977f0c0b test: add nofollow ref for non internal links only 2014-03-21 11:17:31 +08:00
gihnius
93484b1424 add nofollow ref for non internal links only 2014-03-21 11:14:58 +08:00
gihnius
ecf59d4a55 add target blank attr 2014-03-21 10:52:46 +08:00
Vytautas Šaltenis
e078bb8ec3 Merge pull request #52 from laslowh/master
add HTML_NOFOLLOW_LINKS
2014-03-10 21:47:35 +02:00
Graham Miller
d71c759108 add HTML_NOFOLLOW_LINKS 2014-02-25 09:21:57 -05:00
Vytautas Šaltenis
e5937643a9 Fix bug in autolink with trailing semicolon
In case the link ends with escaped html entity, the semicolon is a part
of the link and should not be interpreted as punctuation.
2014-02-17 21:09:04 +02:00
Vytautas Šaltenis
b0bdfbec4c Fix bug in autolink overescaping html entities
If autolink encounters a link which already has an escaped html entity,
it would escape the ampersand again, producing things like these:
    &amp;  --> &amp;amp;
    &quot; --> &amp;quot;
This commit solves that by first looking for all entity-looking things
in the link and copying those ranges verbatim, only considering the rest
of the string for escaping.
Doesn't seem to have considerable performance impact.
The mailto: links are processed the old way.
2014-02-17 21:09:04 +02:00
Vytautas Šaltenis
cc0d56d092 Extract a chain of ifs into separate func
This gives a ~10% slowdown of a full test run, which is tolerable.
Switch statement is still slightly slower (~5%). Using map turned out to
be unacceptably slow (~3x slowdown).
2014-02-17 21:09:04 +02:00
Vytautas Šaltenis
84ee8e62f6 Add a note about JavaScript injections to README 2014-02-17 21:09:03 +02:00
Vytautas Šaltenis
31a96c6ce7 go fmt 2014-02-17 21:09:03 +02:00
Vytautas Šaltenis
f2d43f69a4 Fix bug in autolink termination
Detect the end of link when it is immediately followed by an element.
2014-02-17 21:09:03 +02:00
Vytautas Šaltenis
9fc8c9d866 Fix bug with overzealous autolink processing
When the source Markdown contains an anchor tag with URL as link text
(i.e. <a href=...>http://foo.bar</a>), autolink converts that link text
into another anchor tag, which is nonsense. Detect this situation with
regexp and early exit autolink processing.
2014-02-17 21:09:03 +02:00
Vytautas Šaltenis
2f50a53f8e Rename HTML_SKIP_SCRIPT to HTML_SANITIZE_OUTPUT 2014-01-22 01:23:43 +02:00
Vytautas Šaltenis
55cd82008e Rewrite protection against JavaScript injection
This drops the naive approach at <script> tag stripping and resorts to
full sanitization of html. The general idea (and the regexps) is grabbed
from Stack Exchange's PageDown JavaScript Markdown processor[1]. Like in
PageDown, it's implemented as a separate pass over resulting html.

Includes a metric ton (but not all) of test cases from here[2]. Several
are commented out since they don't pass yet.

Stronger (but still incomplete) fix for #11.

[1] http://code.google.com/p/pagedown/wiki/PageDown
[2] https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
2014-01-22 01:14:35 +02:00
Vytautas Šaltenis
e02c392dc6 Extract useful code to separate func 2014-01-22 00:45:43 +02:00
Vytautas Šaltenis
5405274d99 Merge pull request #44 from FreakyDazio/safe-relatives
Relative URIs are considered safe
2014-01-08 11:51:13 -08:00
Vytautas Šaltenis
0c38d23ca2 Merge pull request #43 from microcosm-cc/master
Cells in THEAD > TR are now TH.
2014-01-08 11:46:30 -08:00
Darren Coxall
607ec21435 Tests for links when using HTML_SAFELINK 2013-12-19 10:00:47 +00:00