fix: isExternal check with malformed URL + tests (#1510)

Fix #1477. Fix #1126. Follow-up to #1489.
2024-12-02 12:10:04 +08:00 · 2021-02-18 06:06:44 -06:00 · 2021-02-18 06:06:44 -06:00 · ff2a66f127
commit ff2a66f127
parent 6c13bdb7bd
2 changed files with 33 additions and 1 deletions
--- a/src/core/fetch/index.js
+++ b/src/core/fetch/index.js
@ -22,7 +22,7 @@ function loadNested(path, qs, file, next, vm, first) {

 function isExternal(url) {
  let match = url.match(
-    /^([^:/?#]+:)?(?:\/\/([^/?#]*))?([^?#]+)?(\?[^#]*)?(#.*)?/
+    /^([^:/?#]+:)?(?:\/{2,}([^/?#]*))?([^?#]+)?(\?[^#]*)?(#.*)?/
  );
  if (
    typeof match[1] === 'string' &&
--- a/test/e2e/security.test.js
+++ b/test/e2e/security.test.js
@ -0,0 +1,32 @@
+const docsifyInit = require('../helpers/docsify-init');
+
+describe(`Security`, function() {
+  const sharedOptions = {
+    markdown: {
+      homepage: '# Hello World',
+    },
+    routes: {
+      'test.md': '# Test Page',
+    },
+  };
+
+  describe(`Cross Site Scripting (XSS)`, function() {
+    const slashStrings = ['//', '///'];
+
+    for (const slashString of slashStrings) {
+      const hash = `#${slashString}domain.com/file.md`;
+
+      test(`should not load remote content from hash (${hash})`, async () => {
+        await docsifyInit(sharedOptions);
+        await expect(page).toHaveText('#main', 'Hello World');
+        await page.evaluate(() => (location.hash = '#/test'));
+        await expect(page).toHaveText('#main', 'Test Page');
+        await page.evaluate(newHash => {
+          location.hash = newHash;
+        }, hash);
+        await expect(page).toHaveText('#main', 'Hello World');
+        expect(page.url()).toMatch(/#\/$/);
+      });
+    }
+  });
+});