From 325a1471d2a32bcc1e2d2580b973ff4ba1df85e8 Mon Sep 17 00:00:00 2001 From: John MacFarlane Date: Sun, 17 Mar 2019 22:43:38 -0700 Subject: Make rendering safe by default. Removes CMARK_OPT_SAFE from options. Adds CMARK_OPT_UNSAFE, with the opposite meaning. The new default behavior is to suppress raw HTML and potentially dangerous links. The CMARK_OPT_UNSAFE option has to be set explicitly to prevent this. -------------------------------------------------------- NOTE: This change will require modifications in bindings for cmark and in most libraries and programs that use cmark. -------------------------------------------------------- Closes #239, #273. Borrows heavily from @kivikakk's patch in github/cmark-gfm#123. --- src/cmark.h | 10 +++++----- src/html.c | 12 ++++++------ src/main.c | 6 +++--- 3 files changed, 14 insertions(+), 14 deletions(-) (limited to 'src') diff --git a/src/cmark.h b/src/cmark.h index d1a65aa..ad9d4c4 100644 --- a/src/cmark.h +++ b/src/cmark.h @@ -552,13 +552,13 @@ char *cmark_render_latex(cmark_node *root, int options, int width); */ #define CMARK_OPT_HARDBREAKS (1 << 2) -/** Suppress raw HTML and unsafe links (`javascript:`, `vbscript:`, +/** Render raw HTML and unsafe links (`javascript:`, `vbscript:`, * `file:`, and `data:`, except for `image/png`, `image/gif`, - * `image/jpeg`, or `image/webp` mime types). Raw HTML is replaced - * by a placeholder HTML comment. Unsafe links are replaced by - * empty strings. + * `image/jpeg`, or `image/webp` mime types). By default, + * raw HTML is replaced by a placeholder HTML comment. Unsafe + * links are replaced by empty strings. */ -#define CMARK_OPT_SAFE (1 << 3) +#define CMARK_OPT_UNSAFE (1 << 17) /** Render `softbreak` elements as spaces. */ diff --git a/src/html.c b/src/html.c index a680e4a..a13d016 100644 --- a/src/html.c +++ b/src/html.c @@ -170,7 +170,7 @@ static int S_render_node(cmark_node *node, cmark_event_type ev_type, case CMARK_NODE_HTML_BLOCK: cr(html); - if (options & CMARK_OPT_SAFE) { + if (!(options & CMARK_OPT_UNSAFE)) { cmark_strbuf_puts(html, ""); } else { cmark_strbuf_put(html, node->as.literal.data, node->as.literal.len); @@ -242,7 +242,7 @@ static int S_render_node(cmark_node *node, cmark_event_type ev_type, break; case CMARK_NODE_HTML_INLINE: - if (options & CMARK_OPT_SAFE) { + if (!(options & CMARK_OPT_UNSAFE)) { cmark_strbuf_puts(html, ""); } else { cmark_strbuf_put(html, node->as.literal.data, node->as.literal.len); @@ -278,8 +278,8 @@ static int S_render_node(cmark_node *node, cmark_event_type ev_type, case CMARK_NODE_LINK: if (entering) { cmark_strbuf_puts(html, "as.link.url, 0))) { + if ((options & CMARK_OPT_UNSAFE) || + !(scan_dangerous_url(&node->as.link.url, 0))) { houdini_escape_href(html, node->as.link.url.data, node->as.link.url.len); } @@ -296,8 +296,8 @@ static int S_render_node(cmark_node *node, cmark_event_type ev_type, case CMARK_NODE_IMAGE: if (entering) { cmark_strbuf_puts(html, "as.link.url, 0))) { + if ((options & CMARK_OPT_UNSAFE) || + !(scan_dangerous_url(&node->as.link.url, 0))) { houdini_escape_href(html, node->as.link.url.data, node->as.link.url.len); } diff --git a/src/main.c b/src/main.c index 1094fee..29360dc 100644 --- a/src/main.c +++ b/src/main.c @@ -38,7 +38,7 @@ void print_usage() { printf(" --sourcepos Include source position attribute\n"); printf(" --hardbreaks Treat newlines as hard line breaks\n"); printf(" --nobreaks Render soft line breaks as spaces\n"); - printf(" --safe Suppress raw HTML and dangerous URLs\n"); + printf(" --unsafe Render raw HTML and dangerous URLs\n"); printf(" --smart Use smart punctuation\n"); printf(" --validate-utf8 Replace UTF-8 invalid sequences with U+FFFD\n"); printf(" --help, -h Print usage information\n"); @@ -112,8 +112,8 @@ int main(int argc, char *argv[]) { options |= CMARK_OPT_NOBREAKS; } else if (strcmp(argv[i], "--smart") == 0) { options |= CMARK_OPT_SMART; - } else if (strcmp(argv[i], "--safe") == 0) { - options |= CMARK_OPT_SAFE; + } else if (strcmp(argv[i], "--unsafe") == 0) { + options |= CMARK_OPT_UNSAFE; } else if (strcmp(argv[i], "--validate-utf8") == 0) { options |= CMARK_OPT_VALIDATE_UTF8; } else if ((strcmp(argv[i], "--help") == 0) || -- cgit v1.2.3