Skip to content

Allow data URIs as image sources #164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Allow data URIs as image sources #164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -285,7 +285,7 @@ The following bash scripts are useful when working on this project:
The typical security aspect discussed for markdown is [cross-site scripting
(XSS)][xss] attacks.
Markdown itself is safe if it does not include embedded HTML or dangerous
protocols in links/images (such as `javascript:` or `data:`).
protocols in links/images (such as `javascript:`).
`markdown-rs` makes any markdown safe by default, even if HTML is embedded or
dangerous protocols are used, as it encodes or drops them.
Turning on the `allow_dangerous_html` or `allow_dangerous_protocol` options for
Expand Down
4 changes: 2 additions & 2 deletions src/configuration.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -518,9 +518,9 @@ pub struct CompileOptions {
///
/// URLs that have no protocol (which means it’s relative to the current
/// page, such as `./some/page.html`) and URLs that have a safe protocol
/// (for images: `http`, `https`; for links: `http`, `https`, `irc`,
/// (for images: `http`, `https`, `data`; for links: `http`, `https`, `irc`,
/// `ircs`, `mailto`, `xmpp`), are safe.
/// All other URLs are dangerous and dropped.
/// All other URLs are considered dangerous by this library and dropped.
///
/// ## Examples
///
Expand Down
2 changes: 1 addition & 1 deletion src/util/constant.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,7 +274,7 @@ pub const SAFE_PROTOCOL_HREF: [&str; 6] = ["http", "https", "irc", "ircs", "mail
/// List of protocols allowed, when operating safely, as `src` on `img`.
///
/// This list is based on what is allowed by GitHub.
pub const SAFE_PROTOCOL_SRC: [&str; 2] = ["http", "https"];
pub const SAFE_PROTOCOL_SRC: [&str; 3] = ["http", "https", "data"];

/// The number of characters that form a tab stop.
///
Expand Down
6 changes: 6 additions & 0 deletions tests/misc_dangerous_protocol.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,12 @@ fn dangerous_protocol_image() {
"<p><img src=\"a/b:c\" alt=\"\" /></p>",
"should allow a colon in a path"
);

assert_eq!(
to_html("![](data:image/png;base64,abc)"),
"<p><img src=\"data:image/png;base64,abc\" alt=\"\" /></p>",
"should allow data URIs"
);
}

#[test]
Expand Down