Kharec/m2h
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: improve url sanitization

Browse Source
This commit is contained in:
Sandro CURY CAZZANIGA
2025-12-11 15:57:25 +01:00
parent cf77dd5cf2
commit 9bd98b4fb9
1 changed files with 16 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
lib/MarkdownParser.pm
View File

@@ -379,10 +379,22 @@ s/\x01F$i\x02/<$part->{tag}>@{[escape_html($part->{content})]}<\/$part->{tag}>/;
sub is_safe_url { sub is_safe_url {
my ($url) = @_; my ($url) = @_;
return 0 if $url =~ /^\s*javascript:/i; my $normalized = $url // '';
return 0 if $url =~ /^\s*data:/i;
return 0 if $url =~ /^\s*vbscript:/i; $normalized =~ s/^\s+//;
return 0 if $url =~ /^\s*file:/i; $normalized =~ s/\s+$//;
$normalized =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg
while $normalized =~ /%[0-9A-Fa-f]{2}/;
$normalized =~ s/&#x([0-9A-Fa-f]+);?/chr(hex($1))/eg;
$normalized =~ s/&#(\d+);?/chr($1)/eg;
if ( $normalized =~ /^([a-z][a-z0-9+\-.]*):/i ) {
my $scheme = lc $1;
return 1
if $scheme eq 'http' || $scheme eq 'https' || $scheme eq 'mailto';
return 0;
}
return 1; return 1;
} }
@@ -397,4 +409,3 @@ sub escape_html {
} }
1; 1;