summaryrefslogtreecommitdiff
path: root/api_test/main.c
diff options
context:
space:
mode:
authorJohn MacFarlane <jgm@berkeley.edu>2015-07-13 09:21:35 -0700
committerJohn MacFarlane <jgm@berkeley.edu>2015-07-13 10:15:55 -0700
commitac39623d667999cfae1444b46508a9a423b0df1b (patch)
tree40579cea4365b373fdc2831c2e43c2288671d028 /api_test/main.c
parent6dcd2beafdfbc9f694916bcdfa822b896aa44177 (diff)
Added `CMARK_OPT_SAFE` option and `--safe` command-line flag.
* Added `CMARK_OPT_SAFE`. This option disables rendering of raw HTML and potentially dangerous links. * Added `--safe` option in command-line program. * Updated `cmark.3` man page. * Added `scan_dangerous_url` to scanners. * In HTML, suppress rendering of raw HTML and potentially dangerous links if `CMARK_OPT_SAFE`. Dangerous URLs are those that begin with `javascript:`, `vbscript:`, `file:`, or `data:` (except for `image/png`, `image/gif`, `image/jpeg`, or `image/webp` mime types). * Added `api_test` for `OPT_CMARK_SAFE`. * Rewrote `README.md` on security.
Diffstat (limited to 'api_test/main.c')
-rw-r--r--api_test/main.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/api_test/main.c b/api_test/main.c
index 104371c..dfb5483 100644
--- a/api_test/main.c
+++ b/api_test/main.c
@@ -714,6 +714,21 @@ numeric_entities(test_batch_runner *runner)
}
static void
+test_safe(test_batch_runner *runner)
+{
+ // Test safe mode
+ static const char raw_html[] =
+ "<div>\nhi\n</div>\n\n<a>hi</a>\n[link](JAVAscript:alert('hi'))\n![image](file:my.js)\n";
+ char *html = cmark_markdown_to_html(raw_html,
+ sizeof(raw_html) - 1,
+ CMARK_OPT_DEFAULT |
+ CMARK_OPT_SAFE);
+ STR_EQ(runner, html, "<!-- raw HTML omitted -->\n<p><!-- raw HTML omitted -->hi<!-- raw HTML omitted -->\n<a href=\"\">link</a>\n<img src=\"\" alt=\"image\" /></p>\n",
+ "input with raw HTML and dangerous links");
+ free(html);
+}
+
+static void
test_md_to_html(test_batch_runner *runner, const char *markdown,
const char *expected_html, const char *msg)
{
@@ -741,6 +756,7 @@ int main() {
line_endings(runner);
numeric_entities(runner);
test_cplusplus(runner);
+ test_safe(runner);
test_print_summary(runner);
retval = test_ok(runner) ? 0 : 1;