StarMirror/blackfriday
1
0
Fork 0
mirror of https://github.com/russross/blackfriday.git synced 2024-03-22 13:40:34 +08:00
Code Issues Projects Releases Wiki Activity
154 Commits 8 Branches 14 Tags 3.7 MiB
55cd82008e
Commit Graph

154 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Vytautas Šaltenis
55cd82008e Rewrite protection against JavaScript injection 
This drops the naive approach at <script> tag stripping and resorts to
full sanitization of html. The general idea (and the regexps) is grabbed
from Stack Exchange's PageDown JavaScript Markdown processor[1]. Like in
PageDown, it's implemented as a separate pass over resulting html.

Includes a metric ton (but not all) of test cases from here[2]. Several
are commented out since they don't pass yet.

Stronger (but still incomplete) fix for #11.

[1] http://code.google.com/p/pagedown/wiki/PageDown
[2] https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
 2014-01-22 01:14:35 +02:00
Vytautas Šaltenis
e02c392dc6 Extract useful code to separate func 2014-01-22 00:45:43 +02:00
Vytautas Šaltenis
5405274d99 Merge pull request #44 from FreakyDazio/safe-relatives 
Relative URIs are considered safe
 2014-01-08 11:51:13 -08:00
Vytautas Šaltenis
0c38d23ca2 Merge pull request #43 from microcosm-cc/master 
Cells in THEAD > TR are now TH.
 2014-01-08 11:46:30 -08:00
Darren Coxall
607ec21435 Tests for links when using HTML_SAFELINK 2013-12-19 10:00:47 +00:00
Darren Coxall
59358adea8 Relative URIs are considered safe 2013-12-09 14:41:37 +00:00
Russ Ross
d0e587acc8 Change GOROOT references to GOPATH in README 2013-11-21 08:47:41 -07:00
David Kitchen
5b954f1f77 Updated tests to check for th tags instead of td tags within thead blocks 2013-10-17 10:35:44 +01:00
David Kitchen
6e6572e913 Added th to table headers so that styling with things like Twitter Bootstrap and typeset.css work as expected. Cells in headers should always be TH unless they are advisory cells within headers in which case TD is acceptable (but being Markdown a user with such needs could just enter HTML for this) 2013-10-16 11:36:33 +01:00
Russ Ross
48d1f9d9cc fix smartypants to pass single backticks through, issue #38 2013-10-01 13:55:34 -06:00
Russ Ross
ca82b8db3a panic fix (issue #33) with test case 2013-09-11 12:47:43 -06:00
Lancee
472fe3a756 Merge pull request #32 from bertzzie/master 
Enable Parsing Inside a Link
 2013-09-08 23:16:18 -07:00
Alex Xandra Albert Sim
e250348279 Image inside a link now works. 2013-09-09 12:51:46 +07:00
Alex Xandra Albert Sim
da8f2753e2 Added test for link inside image 2013-09-09 12:51:20 +07:00
Vytautas Šaltenis
3f24fadb28 Merge pull request #31 from aybabtme/patch-1 
Fix typo.
 2013-09-01 11:56:32 -07:00
Antoine Grondin
bd3e6c9492 Fix typo. 2013-09-01 10:59:06 -07:00
Russ Ross
d4bdd8db21 update license language to match OSI 2013-08-14 07:43:17 -06:00
Vytautas Šaltenis
8395200adf Merge pull request #29 from athom/master 
add EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK flag to make it closer to GFM
 2013-08-10 13:13:13 -07:00
athom
31798e0eab add testcase for GFM autolink 2013-08-09 17:24:26 +08:00
athom
16c09b01bd make autolink peforms like GFM 2013-08-09 16:28:35 +08:00
athom
8751c35d1a add EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK flag to make it closer to GFM(Github flavor Markdown) 2013-07-30 10:32:11 +08:00
Vytautas Šaltenis
264c82ed4b Merge pull request #27 from moshee/master 
Footnotes (addresses #14)
 2013-07-08 23:03:42 -07:00
moshee
3ea84a5811 parser no longer returns prematurely from empty footnote ref 2013-07-08 22:34:12 +00:00
moshee
4513607d62 leftover debug stuff 2013-07-08 09:42:29 +00:00
moshee
1a73bae554 added slice bounds check 2013-07-08 06:54:25 +00:00
moshee
c23099e5ee Implementation and some tests for inline footnotes. Also I noticed the list items had the wrong ids, that was silly of me. 2013-07-01 01:37:52 +00:00
moshee
8346559a1a Referenced footnotes appear to be functional. Inline still unimplemented. 2013-06-26 16:09:27 +00:00
moshee
7bdb82c53a new tests pass but old tests now fail... 2013-06-26 15:57:51 +00:00
moshee
be082a1ef2 First attempt at supporting Pandoc-style footnotes. The existing tests have not broken but the new functionality does not work yet. 2013-06-25 01:18:47 +00:00
Vytautas Šaltenis
2336fd3109 Merge pull request #22 from rtfb/master 
Add some protection against script injection
 2013-05-21 13:19:17 -07:00
Russ Ross
015b0af435 Merge pull request #24 from subosito/sample-fixes 
Fix table syntax example on README
 2013-05-20 15:15:38 -07:00
Alif Rachmawadi
227e2c0094 fix table syntax example 2013-05-05 10:35:09 +07:00
Vytautas Šaltenis
8226238289 Improve html element stripping code 2013-04-18 03:15:47 +03:00
Vytautas Šaltenis
079a55851d Fix typo 2013-04-14 01:44:18 +03:00
Vytautas Šaltenis
375cae5dbe Add HTML_SKIP_SCRIPT to MarkdownCommon 2013-04-14 01:43:21 +03:00
Vytautas Šaltenis
85e2207cd0 Couple more tests 2013-04-14 01:42:47 +03:00
Vytautas Šaltenis
dcaaa9b5dc More <script> stripping 
Partially addresses issue #11.
 2013-04-13 23:24:30 +03:00
Vytautas Šaltenis
fb923cdb78 Add an option to strip <script> elements 
Partially addresses issue #11.
 2013-04-13 22:57:16 +03:00
Vytautas Šaltenis
b79e720a36 Make isHtmlTag() case insensitive 2013-04-13 22:34:37 +03:00
Vytautas Šaltenis
a2fda5e98f Extract repetitive code to a func 2013-04-13 22:26:29 +03:00
Vytautas Šaltenis
d5a8df164b Fix bug in isHtmlTag() 
Fix what seems to be a typo. j should iterate through all tagname, so it
should be initialized to zero. The test exposes this bug.
 2013-04-13 22:21:47 +03:00
Vytautas Šaltenis
90509d39d4 Make a way to parameterize inline tests 
Expose extensions and html flags parameters so that tests could specify
what code paths they want to exercise.
 2013-04-13 22:18:14 +03:00
Russ Ross
3c0965e698 Merge pull request #16 from cespare/blockcodegithub_doc_fix 
Fix up method documentation formatting for the BlockCodeGithub method.
 2012-11-22 18:00:19 -08:00
Caleb Spare
a25d9a543f Fix html tag ordering in doc string. 2012-11-22 12:52:56 -08:00
Caleb Spare
d0d854958e Fix up method documentation formatting. 2012-11-22 12:12:08 -08:00
Russ Ross
585af8ba49 Merge pull request #15 from moshee/master 
HTML5
 2012-10-22 06:39:47 -07:00
moshee
e69cdde766 Add some HTML5 2012-10-21 21:28:31 -07:00
moshee
8a86b6d6be HTML5 doctype, Wrap TOC with <nav> 
<nav> makes the TOC more easily identifiable and workable with CSS.
 2012-10-21 21:23:44 -07:00
Russ Ross
b3c6494605 recognize fraction slash as well as regular slash to make fractions 2012-03-11 16:10:42 -06:00
Russ Ross
82ba58501c link directly to blackfriday-tool 2012-03-07 22:12:46 -07:00