From 285e9647c6d2f90d8cb7af543b14c986a8efa631 Mon Sep 17 00:00:00 2001
From: Asherah Connor <ashe@kivikakk.ee>
Date: Fri, 12 Feb 2021 21:15:29 +1100
Subject: [PATCH] SECURITY: match unsafe prefixes case-insensitively

Many thanks to Kouhei Morita for reporting this.

Co-authored-by: Kouhei Morita <mrtc0@ssrf.in>
---
 src/lexer.pest |   2 +-
 src/tests.rs   | 146 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 147 insertions(+), 1 deletion(-)

diff --git a/src/lexer.pest b/src/lexer.pest
index e97647c..7f6cd3f 100644
--- a/src/lexer.pest
+++ b/src/lexer.pest
@@ -55,4 +55,4 @@ table_start = { "|"? ~ table_marker ~ ("|" ~ table_marker)* ~ "|"? ~ table_space
 table_cell_end = { "|" ~ table_spacechar* ~ table_newline? }
 table_row_end = { table_spacechar* ~ table_newline }

-dangerous_url = { "data:" ~ !("png" | "gif" | "jpeg" | "webp") | "javascript:" | "vbscript:" | "file:" }
+dangerous_url = { ^"data:" ~ !(^"image/" ~ (^"png" | ^"gif" | ^"jpeg" | ^"webp")) | ^"javascript:" | ^"vbscript:" | ^"file:" }
diff --git a/src/tests.rs b/src/tests.rs
index c61a493..5f3e0cc 100644
--- a/src/tests.rs
+++ b/src/tests.rs
@@ -998,3 +998,11 @@ fn description_lists() {
         ),
     );
 }
+
+#[test]
+fn case_insensitive_safety() {
+    html(
+        "[a](javascript:a) [b](Javascript:b) [c](jaVascript:c) [d](data:xyz) [e](Data:xyz) [f](vbscripT:f) [g](FILE:g)\n",
+        "<p><a href=\"\">a</a> <a href=\"\">b</a> <a href=\"\">c</a> <a href=\"\">d</a> <a href=\"\">e</a> <a href=\"\">f</a> <a href=\"\">g</a></p>\n",
+    );
+}
--
2.30.1