From 59358adea87fa5061b5c21be571a3480bf0217a9 Mon Sep 17 00:00:00 2001 From: Darren Coxall Date: Mon, 9 Dec 2013 14:41:37 +0000 Subject: [PATCH 1/2] Relative URIs are considered safe --- inline.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inline.go b/inline.go index 0e7cb86..0348dbf 100644 --- a/inline.go +++ b/inline.go @@ -718,7 +718,7 @@ func autoLink(p *parser, out *bytes.Buffer, data []byte, offset int) int { return linkEnd - rewind } -var validUris = [][]byte{[]byte("http://"), []byte("https://"), []byte("ftp://"), []byte("mailto://")} +var validUris = [][]byte{[]byte("http://"), []byte("https://"), []byte("ftp://"), []byte("mailto://"), []byte("/")} func isSafeLink(link []byte) bool { for _, prefix := range validUris { From 607ec21435b204dcc7cb489212e2d8b6a509f4ed Mon Sep 17 00:00:00 2001 From: Darren Coxall Date: Thu, 19 Dec 2013 10:00:47 +0000 Subject: [PATCH 2/2] Tests for links when using HTML_SAFELINK --- inline_test.go | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/inline_test.go b/inline_test.go index b7a1688..a9862ce 100644 --- a/inline_test.go +++ b/inline_test.go @@ -32,6 +32,10 @@ func doTestsInline(t *testing.T, tests []string) { doTestsInlineParam(t, tests, 0, 0) } +func doSafeTestsInline(t *testing.T, tests []string) { + doTestsInlineParam(t, tests, 0, HTML_SAFELINK) +} + func doTestsInlineParam(t *testing.T, tests []string, extensions, htmlFlags int) { // catch and report panics var candidate string @@ -417,6 +421,30 @@ func TestInlineLink(t *testing.T) { doTestsInline(t, tests) } +func TestSafeInlineLink(t *testing.T) { + var tests = []string{ + "[foo](/bar/)\n", + "

foo

\n", + + "[foo](http://bar/)\n", + "

foo

\n", + + "[foo](https://bar/)\n", + "

foo

\n", + + "[foo](ftp://bar/)\n", + "

foo

\n", + + "[foo](mailto://bar/)\n", + "

foo

\n", + + // Not considered safe + "[foo](baz://bar/)\n", + "

foo

\n", + } + doSafeTestsInline(t, tests) +} + func TestReferenceLink(t *testing.T) { var tests = []string{ "[link][ref]\n",