diff options
author | =Corey Hulen <corey@hulen.com> | 2016-03-14 10:23:51 -0700 |
---|---|---|
committer | =Corey Hulen <corey@hulen.com> | 2016-03-14 10:23:51 -0700 |
commit | ea3f25924ea64a2dd1e73624c0d30824e1efb240 (patch) | |
tree | a4a2b2bdc37bd675fb89837713995ad44a27427b /web/react/utils/markdown.jsx | |
parent | 397ebec88c2db3569efd77238bf877e976492d34 (diff) | |
parent | bf7ae0711743926cfbb031675cc3320d7a942465 (diff) | |
download | chat-ea3f25924ea64a2dd1e73624c0d30824e1efb240.tar.gz chat-ea3f25924ea64a2dd1e73624c0d30824e1efb240.tar.bz2 chat-ea3f25924ea64a2dd1e73624c0d30824e1efb240.zip |
Merge branch 'master' into PLT-2115
Diffstat (limited to 'web/react/utils/markdown.jsx')
-rw-r--r-- | web/react/utils/markdown.jsx | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/web/react/utils/markdown.jsx b/web/react/utils/markdown.jsx index 493916058..2b1aed9c0 100644 --- a/web/react/utils/markdown.jsx +++ b/web/react/utils/markdown.jsx @@ -193,6 +193,16 @@ class MattermostMarkdownRenderer extends marked.Renderer { outHref = outHref.substring(1, outHref.length - 1); } + try { + const unescaped = decodeURIComponent(unescape(href)).replace(/[^\w:]/g, '').toLowerCase(); + + if (unescaped.indexOf('javascript:') === 0 || unescaped.indexOf('vbscript:') === 0) { // eslint-disable-line no-script-url + return ''; + } + } catch (e) { + return ''; + } + if (!(/[a-z+.-]+:/i).test(outHref)) { outHref = `http://${outHref}`; } @@ -548,3 +558,18 @@ export function format(text, options) { return new MattermostParser(markdownOptions).parse(tokens); } +// Marked helper functions that should probably just be exported + +function unescape(html) { + return html.replace(/&([#\w]+);/g, (_, m) => { + const n = m.toLowerCase(); + if (n === 'colon') { + return ':'; + } else if (n.charAt(0) === '#') { + return n.charAt(1) === 'x' ? + String.fromCharCode(parseInt(n.substring(2), 16)) : + String.fromCharCode(+n.substring(1)); + } + return ''; + }); +} |