From 49e87b7ae2dc323d83606792a749fb207595249e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominykas=20Bly=C5=BE=C4=97?= <hello@dominykas.com>
Date: Sat, 27 Jul 2019 22:05:05 +0300
Subject: [PATCH] fix: disallow ascii control characters in URLs (#334)

Closes https://github.com/jonschlinkert/remarkable/issues/332

The code here is very similar to other markdown libraries, so I pretty much did what they do:

- https://github.com/npm/marky-markdown/blob/008509231558765695938020a376b5b2e4fd4fcc/lib/gfm/override-link-destination-parser.js#L67
- https://github.com/markdown-it/markdown-it/blob/ba6830ba13fb92953a91fb90318964ccd15b82c4/lib/helpers/parse_link_destination.js#L53
---
 lib/helpers/parse_link_destination.js | 3 ++-
 test/fixtures/remarkable/xss.txt      | 7 +++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/helpers/parse_link_destination.js b/lib/helpers/parse_link_destination.js
index 3cf20559..9586339c 100644
--- a/lib/helpers/parse_link_destination.js
+++ b/lib/helpers/parse_link_destination.js
@@ -52,7 +52,8 @@ module.exports = function parseLinkDestination(state, pos) {
 
     if (code === 0x20) { break; }
 
-    if (code > 0x08 && code < 0x0e) { break; }
+    // ascii control chars
+    if (code < 0x20 || code === 0x7F) { break; }
 
     if (code === 0x5C /* \ */ && pos + 1 < max) {
       pos += 2;
diff --git a/test/fixtures/remarkable/xss.txt b/test/fixtures/remarkable/xss.txt
index 6fc22e04..e80a2aca 100644
--- a/test/fixtures/remarkable/xss.txt
+++ b/test/fixtures/remarkable/xss.txt
@@ -77,3 +77,10 @@ javascript:alert(1)
 <p>javascript:alert(1)</p>
 <p>javascript:alert(1)</p>
 .
+
+
+.
+[ASCII control characters XSS](javascript:alert(1))
+.
+<p>[ASCII control characters XSS](javascript:alert(1))</p>
+.