Merge pull request #976 from UziTech/v0.3.9

V0.3.9

Author: joshbruce

bower.json

@@ -1,6 +1,5 @@
 {
   "name": "marked",
-  "version": "0.3.4",
   "homepage": "https://github.com/chjj/marked",
   "authors": [
     "Christopher Jeffrey <[email protected]>"

lib/marked.js

@@ -39,10 +39,6 @@ block.list = replace(block.list)
   ('def', '\\n+(?=' + block.def.source + ')')
   ();
 
-block.blockquote = replace(block.blockquote)
-  ('def', block.def)
-  ();
-
 block._tag = '(?!(?:'
   + 'a|em|strong|small|s|cite|q|dfn|abbr|data|time|code'
   + '|var|samp|kbd|sub|sup|i|b|u|mark|ruby|rt|rp|bdi|bdo'
@@ -457,7 +453,7 @@ var inline = {
   nolink: /^!?\[((?:\[[^\]]*\]|[^\[\]])*)\]/,
   strong: /^__([\s\S]+?)__(?!_)|^\*\*([\s\S]+?)\*\*(?!\*)/,
   em: /^\b_((?:[^_]|__)+?)_\b|^\*((?:\*\*|[\s\S])+?)\*(?!\*)/,
-  code: /^(`+)\s*([\s\S]*?[^`])\s*\1(?!`)/,
+  code: /^(`+)([\s\S]*?[^`])\1(?!`)/,
   br: /^ {2,}\n(?!\s*$)/,
   del: noop,
   text: /^[\s\S]+?(?=[\\<!\[_*`]| {2,}\n|$)/
@@ -578,9 +574,11 @@ InlineLexer.prototype.output = function(src) {
     if (cap = this.rules.autolink.exec(src)) {
       src = src.substring(cap[0].length);
       if (cap[2] === '@') {
-        text = cap[1].charAt(6) === ':'
+        text = escape(
+          cap[1].charAt(6) === ':'
           ? this.mangle(cap[1].substring(7))
-          : this.mangle(cap[1]);
+          : this.mangle(cap[1])
+        );
         href = this.mangle('mailto:') + text;
       } else {
         text = escape(cap[1]);
@@ -661,7 +659,7 @@ InlineLexer.prototype.output = function(src) {
     // code
     if (cap = this.rules.code.exec(src)) {
       src = src.substring(cap[0].length);
-      out += this.renderer.codespan(escape(cap[2], true));
+      out += this.renderer.codespan(escape(cap[2].trim(), true));
       continue;
     }
 
@@ -879,6 +877,9 @@ Renderer.prototype.link = function(href, title, text) {
       return '';
     }
   }
+  if (this.options.baseUrl && !originIndependentUrl.test(href)) {
+    href = resolveUrl(this.options.baseUrl, href);
+  }
   var out = '<a href="' + href + '"';
   if (title) {
     out += ' title="' + title + '"';
@@ -888,6 +889,9 @@ Renderer.prototype.link = function(href, title, text) {
 };
 
 Renderer.prototype.image = function(href, title, text) {
+  if (this.options.baseUrl && !originIndependentUrl.test(href)) {
+    href = resolveUrl(this.options.baseUrl, href);
+  }
   var out = '<img src="' + href + '" alt="' + text + '"';
   if (title) {
     out += ' title="' + title + '"';
@@ -1094,8 +1098,8 @@ function escape(html, encode) {
 }
 
 function unescape(html) {
-	// explicitly match decimal, hex, and named HTML entities 
-  return html.replace(/&(#(?:\d+)|(?:#x[0-9A-Fa-f]+)|(?:\w+));?/g, function(_, n) {
+	// explicitly match decimal, hex, and named HTML entities
+  return html.replace(/&(#(?:\d+)|(?:#x[0-9A-Fa-f]+)|(?:\w+));?/ig, function(_, n) {
     n = n.toLowerCase();
     if (n === 'colon') return ':';
     if (n.charAt(0) === '#') {
@@ -1119,6 +1123,30 @@ function replace(regex, opt) {
   };
 }
 
+function resolveUrl(base, href) {
+  if (!baseUrls[' ' + base]) {
+    // we can ignore everything in base after the last slash of its path component,
+    // but we might need to add _that_
+    // https://tools.ietf.org/html/rfc3986#section-3
+    if (/^[^:]+:\/*[^/]*$/.test(base)) {
+      baseUrls[' ' + base] = base + '/';
+    } else {
+      baseUrls[' ' + base] = base.replace(/[^/]*$/, '');
+    }
+  }
+  base = baseUrls[' ' + base];
+
+  if (href.slice(0, 2) === '//') {
+    return base.replace(/:[^]*/, ':') + href;
+  } else if (href.charAt(0) === '/') {
+    return base.replace(/(:\/*[^/]*)[^]*/, '$1') + href;
+  } else {
+    return base + href;
+  }
+}
+baseUrls = {};
+originIndependentUrl = /^$|^[a-z][a-z0-9+.-]*:|^[?#]/i;
+
 function noop() {}
 noop.exec = noop;
 
@@ -1253,7 +1281,8 @@ marked.defaults = {
   smartypants: false,
   headerPrefix: '',
   renderer: new Renderer,
-  xhtml: false
+  xhtml: false,
+  baseUrl: null
 };
 
 /**

marked.min.js

@@ -2,7 +2,7 @@
   "name": "marked",
   "description": "A markdown parser built for speed",
   "author": "Christopher Jeffrey",
-  "version": "0.3.7",
+  "version": "0.3.9",
   "main": "./lib/marked.js",
   "bin": "./bin/marked",
   "man": "./man/marked.1",

package-lock.json

@@ -101,7 +101,10 @@ main:
       });
       flags.forEach(function(key) {
         var val = true;
-        if (key.indexOf('no') === 0) {
+        if(key.indexOf('=') !== -1) {
+          val = decodeURIComponent(key.substring(key.indexOf('=') + 1));
+          key = key.substring(0, key.indexOf('='));
+        } else if (key.indexOf('no') === 0) {
           key = key.substring(2);
           val = false;
         }

package.json

@@ -6,7 +6,8 @@
 <hr>
 
 <blockquote>
-  <p>hello</p>
+  <p>hello
+[2]: hello</p>
 </blockquote>
 
 
@@ -24,5 +25,6 @@
 <blockquote>
   <p>foo
 bar
+[1]: foo
 bar</p>
 </blockquote>

test/index.js

@@ -0,0 +1,3 @@
+<p><a href="mailto:&lt;svg/onload=&quot;alert(1)&quot;//@x">&lt;svg/onload=&quot;alert(1)&quot;//@x</a></p>
+
+<p><a href="mailto:bar&quot;onclick=&quot;alert(&#39;XSS&#39;)&quot;@foo">bar&quot;onclick=&quot;alert(&#39;XSS&#39;)&quot;@foo</a></p>

test/tests/def_blocks.html

@@ -0,0 +1,3 @@
+<<svg/onload="alert(1)"//@x>
+
+<bar"onclick="alert('XSS')"@foo>

test/tests/mangle_xss.sanatize.nomangle.html

@@ -0,0 +1,35 @@
+<h1 id="absolutization-of-rfc-3986-uris">Absolutization of RFC 3986 URIs</h1>
+
+<h2 id="absolute-uri">Absolute URI</h2>
+
+<p><a href="http://example.com/"><img src="http://example.com/logo" alt="section 4.3"></a></p>
+
+<h2 id="network-path-reference">Network-path reference</h2>
+
+<p><a href="http://example.com/"><img src="http://example.com/logo" alt="section 4.2"></a></p>
+
+<h2 id="absolute-path">Absolute path</h2>
+
+<p><a href="http://example.com/path/to/content"><img src="http://example.com/path/to/img" alt="section 4.2"></a></p>
+
+<h2 id="relative-path">Relative path</h2>
+
+<p><a href="http://example.com/base/content"><img src="http://example.com/base/img" alt="section 4.2"></a></p>
+
+<h2 id="dot-relative-path">Dot-relative path</h2>
+
+<p><a href="http://example.com/base/./content"><img src="http://example.com/base/./img" alt="section 3.3"></a></p>
+
+<p><a href="http://example.com/base/../content"><img src="http://example.com/base/../img" alt="section 3.3"></a></p>
+
+<h2 id="same-document-query">Same-document query</h2>
+
+<p><a href="?"><img src="?type=image" alt="section 4.4"></a></p>
+
+<h2 id="same-document-fragment">Same-document fragment</h2>
+
+<p><a href="#"><img src="#img" alt="section 4.4"></a></p>
+
+<h2 id="empty">Empty</h2>
+
+<p><a href="">section 4.2</a></p>

test/tests/mangle_xss.sanatize.nomangle.text

@@ -0,0 +1,27 @@
+# Absolutization of RFC 3986 URIs
+
+## Absolute URI
+[![section 4.3](http://example.com/logo)](http://example.com/)
+
+## Network-path reference
+[![section 4.2](//example.com/logo)](//example.com/)
+
+## Absolute path
+[![section 4.2](/path/to/img)](/path/to/content)
+
+## Relative path
+[![section 4.2](img)](content)
+
+## Dot-relative path
+[![section 3.3](./img)](./content)
+
+[![section 3.3](../img)](../content)
+
+## Same-document query
+[![section 4.4](?type=image)](?)
+
+## Same-document fragment
+[![section 4.4](#img)](#)
+
+## Empty
+[section 4.2]()

test/tests/relative_urls.baseUrl=http%3A%2F%2Fexample%2Ecom%2Fbase%2F.html

@@ -1,30 +1,30 @@
 <p>hello world
-    how are you
-    how are you</p>
+    text after spaces
+    text after spaces</p>
 
-<p>hello world</p>
-<pre><code>how are you</code></pre>
+<p>paragraph before code</p>
+<pre><code>text inside block code</code></pre>
 
-<p>hello world</p>
+<p>paragraph before hr</p>
 <hr>
 
-<p>hello world</p>
+<p>paragraph before head with hash</p>
 <h1 id="how-are-you">how are you</h1>
 
-<p>hello world</p>
+<p>paragraph before head with equals</p>
 <h1 id="how-are-you">how are you</h1>
 
-<p>hello world</p>
-<blockquote><p>how are you</p></blockquote>
+<p>paragraph before blockquote</p>
+<blockquote><p>text for blockquote</p></blockquote>
 
-<p>hello world</p>
-<ul><li>how are you</li></ul>
+<p>paragraph before list</p>
+<ul><li>text inside list</li></ul>
 
-<p>hello world</p>
-<div>how are you</div>
+<p>paragraph before div</p>
+<div>text inside div</div>
 
-<p>hello world
-<span>how are you</span></p>
+<p>paragraph with span
+<span>text inside span</span></p>
 
 <p>hello <a href="/are/you">world</a>
 </p>

test/tests/relative_urls.baseUrl=http%3A%2F%2Fexample%2Ecom%2Fbase%2F.text

@@ -1,35 +1,36 @@
 hello world
-    how are you
-    how are you
+    text after spaces
+    text after spaces
 
-hello world
+paragraph before code
 ```
-how are you
+text inside block code
 ```
 
-hello world
+paragraph before hr
 * * *
 
-hello world
+paragraph before head with hash
 # how are you
 
-hello world
+paragraph before head with equals
 how are you
 ===========
 
-hello world
-> how are you
+paragraph before blockquote
+> text for blockquote
 
-hello world
-* how are you
+paragraph before list
+* text inside list
 
-hello world
-<div>how are you</div>
+paragraph before div
+<div>text inside div</div>
 
-hello world
-<span>how are you</span>
+paragraph with span
+<span>text inside span</span>
 
 hello [world][how]
+
 [how]: /are/you
 
 <div>hello</div>

test/tests/toplevel_paragraphs.gfm.html

@@ -0,0 +1,2 @@
+<p>lowerlower
+upperupper</p>

test/tests/toplevel_paragraphs.gfm.text

@@ -0,0 +1,2 @@
+lower[click me](javascript:...)lower
+upper[click me](javascript:...)upper