markdown-it
Advanced tools
Comparing version 4.0.3 to 4.1.0
@@ -0,1 +1,11 @@ | ||
4.1.0 / 2015-03-31 | ||
------------------ | ||
- Security: disabled `data:` URLs by default (except some image mimes), to avoid | ||
possible XSS. Version bumped, because features changed (formally). If you did | ||
not used `data:` URLs, consider this version as 4.0.4 (no API changes). | ||
- Simplified link validator code. Now more easy to understand and to copy | ||
into your projects for customization. | ||
4.0.3 / 2015-03-25 | ||
@@ -2,0 +12,0 @@ ------------------ |
@@ -23,16 +23,23 @@ // Main perser class | ||
//////////////////////////////////////////////////////////////////////////////// | ||
// | ||
// This validator does not pretend to functionality of full weight sanitizers. | ||
// It's a tradeoff between default security, simplicity and usability. | ||
// If you need different setup - override validator method as you wish. Or | ||
// replace it with dummy function and use external sanitizer. | ||
// | ||
var BAD_PROTOCOLS = [ 'vbscript', 'javascript', 'file' ]; | ||
var BAD_PROTO_RE = /^(vbscript|javascript|file|data):/; | ||
var GOOD_DATA_RE = /^data:image\/(gif|png|jpeg|webp);/; | ||
function validateLink(url) { | ||
// url should be normalized at this point, and existing entities are decoded | ||
// | ||
var str = url.trim().toLowerCase(); | ||
if (str.indexOf(':') >= 0 && BAD_PROTOCOLS.indexOf(str.split(':')[0]) >= 0) { | ||
return false; | ||
} | ||
return true; | ||
return BAD_PROTO_RE.test(str) ? (GOOD_DATA_RE.test(str) ? true : false) : true; | ||
} | ||
//////////////////////////////////////////////////////////////////////////////// | ||
var RECODE_HOSTNAME_FOR = [ 'http:', 'https:', 'mailto:' ]; | ||
@@ -39,0 +46,0 @@ |
{ | ||
"name": "markdown-it", | ||
"version": "4.0.3", | ||
"version": "4.1.0", | ||
"description": "Markdown-it - modern pluggable markdown parser.", | ||
@@ -5,0 +5,0 @@ "keywords": [ |
@@ -256,4 +256,9 @@ # markdown-it | ||
**Ports** | ||
- [motion-markdown-it](https://github.com/digitalmoksha/motion-markdown-it) - Ruby/RubyMotion | ||
## License | ||
[MIT](https://github.com/markdown-it/markdown-it/blob/master/LICENSE) |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
491111
10824
264