marked v15 does not filter dangerous URL protocols. The default link renderer passes href values through verbatim, so markdown like `[click](javascript:alert(1))` renders as a clickable XSS link in shared/exported session HTML. Add custom link and image renderers that: - Block javascript:, vbscript:, and data: protocol URLs - Escape href/title/alt attributes via escapeHtml() Also escape img.mimeType in session image rendering to prevent attribute breakout from crafted session JSONL. Fixes #3531
29 lines
1.1 KiB
TypeScript
29 lines
1.1 KiB
TypeScript
import { readFileSync } from "fs";
|
|
import { describe, expect, it } from "vitest";
|
|
|
|
describe("export HTML markdown link sanitization", () => {
|
|
const templateJs = readFileSync(new URL("../src/core/export-html/template.js", import.meta.url), "utf-8");
|
|
|
|
it("overrides the marked link renderer to block javascript: protocol", () => {
|
|
// The custom link renderer must check for dangerous protocols
|
|
expect(templateJs).toMatch(/link\s*\(\s*token\s*\)/);
|
|
expect(templateJs).toMatch(/javascript/i);
|
|
expect(templateJs).toMatch(/vbscript/i);
|
|
});
|
|
|
|
it("overrides the marked image renderer to block javascript: protocol", () => {
|
|
expect(templateJs).toMatch(/image\s*\(\s*token\s*\)/);
|
|
});
|
|
|
|
it("escapes href attributes in the custom link renderer", () => {
|
|
// The link renderer must escape href values to prevent attribute breakout
|
|
expect(templateJs).toMatch(/escapeHtml\(href\)/);
|
|
});
|
|
|
|
it("escapes image mimeType attributes", () => {
|
|
// Image mimeType must be escaped to prevent attribute breakout
|
|
expect(templateJs).not.toMatch(/\$\{img\.mimeType\}/);
|
|
expect(templateJs).toMatch(/escapeHtml\(img\.mimeType/);
|
|
});
|
|
});
|