improve logo escaping (#3511)
* escape logo in make-badge * 2.2.1 release notes * tighten up validation of logo param
This commit is contained in:
@@ -1,5 +1,6 @@
|
||||
'use strict'
|
||||
|
||||
const Joi = require('joi')
|
||||
const { toSvgColor } = require('../gh-badges/lib/color')
|
||||
const coalesce = require('../core/base-service/coalesce')
|
||||
const { svg2base64 } = require('./svg-helpers')
|
||||
@@ -31,7 +32,12 @@ function prependPrefix(s, prefix) {
|
||||
}
|
||||
|
||||
function isDataUrl(s) {
|
||||
return s !== undefined && /^(data:)([^;]+);([^,]+),(.+)$/.test(s)
|
||||
try {
|
||||
Joi.assert(s, Joi.string().dataUri())
|
||||
return true
|
||||
} catch (e) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// +'s are replaced with spaces when used in query params, this returns them
|
||||
|
||||
@@ -19,8 +19,16 @@ describe('Logo helpers', function() {
|
||||
})
|
||||
|
||||
test(isDataUrl, () => {
|
||||
//valid input
|
||||
given('data:image/svg+xml;base64,PHN2ZyB4bWxu').expect(true)
|
||||
|
||||
// invalid inputs
|
||||
forCases([given('data:foobar'), given('foobar')]).expect(false)
|
||||
|
||||
// attempted XSS attack
|
||||
given(
|
||||
'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+P+/HgAFhAJ/wlseKgAAAABJRU5ErkJggg=="/><script>alert()</script>'
|
||||
).expect(false)
|
||||
})
|
||||
|
||||
test(prepareNamedLogo, () => {
|
||||
|
||||
Reference in New Issue
Block a user