Skip to content

Commit

Permalink
fixes a possible 'javascript:' protocol exploit [backport:1.0] (#19134)
Browse files Browse the repository at this point in the history
* fixes a possible 'javascript:' protocol exploit [backport:1.0]

* add tests

* Update tests/stdlib/trstgen.nim

* add the same logic for hyperlinks

* move the logic into a proc

Co-authored-by: narimiran <[email protected]>
(cherry picked from commit 9338aa2)
  • Loading branch information
Araq authored and narimiran committed Dec 10, 2021
1 parent f8047c3 commit 17522d6
Showing 1 changed file with 13 additions and 1 deletion.
14 changes: 13 additions & 1 deletion lib/packages/docutils/rstgen.nim
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
## **Note:** Import ``packages/docutils/rstgen`` to use this module

import strutils, os, hashes, strtabs, rstast, rst, highlite, tables, sequtils,
algorithm, parseutils
algorithm, parseutils, strscans

import ../../std/private/since

Expand Down Expand Up @@ -786,6 +786,16 @@ proc renderOverline(d: PDoc, n: PRstNode, result: var string) =
rstnodeToRefname(n), tmp, $chr(n.level - 1 + ord('A'))])


proc safeProtocol(linkStr: var string) =
var protocol = ""
if scanf(linkStr, "$w:", protocol):
# if it has a protocol at all, ensure that it's not 'javascript:' or worse:
if cmpIgnoreCase(protocol, "http") == 0 or cmpIgnoreCase(protocol, "https") == 0 or
cmpIgnoreCase(protocol, "ftp") == 0:
discard "it's fine"
else:
linkStr = ""

proc renderTocEntry(d: PDoc, e: TocEntry, result: var string) =
dispA(d.target, result,
"<li><a class=\"reference\" id=\"$1_toc\" href=\"#$1\">$2</a></li>\n",
Expand Down Expand Up @@ -850,6 +860,8 @@ proc renderImage(d: PDoc, n: PRstNode, result: var string) =

# support for `:target:` links for images:
var target = esc(d.target, getFieldValue(n, "target").strip())
safeProtocol(target)

if target.len > 0:
# `htmlOut` needs to be of the following format for link to work for images:
# <a class="reference external" href="target"><img src=\"$1\"$2/></a>
Expand Down

0 comments on commit 17522d6

Please sign in to comment.