fix(204): parse blanks and quotes in unique attribute tags (#281)

* feat: add test * chore: update README.md [skip ci] * feat(285): add width and height and alt for img tag (#286) feat: add width and height and alt for img tag * chore: fast-peas-brush.md * chore: working * chore: lexer tests * fix: single atttr tag * fix: single atttr tag
2026-06-08 17:22:26 +03:00 · 2025-10-17 12:21:53 +02:00
parent 96b168a3a2
commit 322f88ad42
5 changed files with 120 additions and 8 deletions
@@ -1,6 +1,18 @@
-import { TYPE_ID, VALUE_ID, TYPE_WORD, TYPE_TAG, TYPE_ATTR_NAME, TYPE_ATTR_VALUE, TYPE_SPACE, TYPE_NEW_LINE, LINE_ID, COLUMN_ID, START_POS_ID, END_POS_ID } from '../src/Token';
-import { createLexer } from '../src/lexer';
-import { parse } from "../src";
+import {
+  TYPE_ID,
+  VALUE_ID,
+  TYPE_WORD,
+  TYPE_TAG,
+  TYPE_ATTR_NAME,
+  TYPE_ATTR_VALUE,
+  TYPE_SPACE,
+  TYPE_NEW_LINE,
+  LINE_ID,
+  COLUMN_ID,
+  START_POS_ID,
+  END_POS_ID
+} from '../src/Token';
+import { createLexer } from '../src';

 const TYPE = {
  WORD: TYPE_WORD,
@@ -139,6 +151,49 @@ describe('lexer', () => {
    expect(tokens).toBeMatchOutput(output);
  });

+  test('paired tag with url tag with fakeUnique', () => {
+    const input = '[url=https://example.org/ fakeUnique=fakeUnique]T[/url]';
+    const tokens = tokenize(input);
+
+    const output = [
+      [TYPE.TAG, 'url', 0, 0, 0, 48],
+      [TYPE.ATTR_VALUE, 'https://example.org/ fakeUnique=fakeUnique', 5, 0],
+      [TYPE.WORD, 'T', 48, 0],
+      [TYPE.TAG, '/url', 50, 0, 49, 55],
+    ];
+
+    expect(tokens).toBeMatchOutput(output);
+  });
+
+  test('single tag with xss', () => {
+    const input = '[url=javascript:alert(\'XSS ME\');]TEXT[/url]';
+    const tokens = tokenize(input);
+
+    const output = [
+      [TYPE.TAG, 'url', 0, 0, 0, 33],
+      [TYPE.ATTR_VALUE, 'javascript:alert(\'XSS ME\');', 5, 0],
+      [TYPE.WORD, 'TEXT', 33, 0],
+      [TYPE.TAG, '/url', 38, 0, 37, 43],
+    ];
+
+    expect(tokens).toBeMatchOutput(output);
+  });
+
+  test('single tag with xss and double quotes', () => {
+    const input = '[url=javascript:alert("XSS ME");]TEXT[/url]';
+    const tokens = tokenize(input);
+
+    const output = [
+      [TYPE.TAG, 'url', 0, 0, 0, 33],
+      [TYPE.ATTR_VALUE, 'javascript:alert("XSS ME', 5, 0],
+      [TYPE.ATTR_VALUE, ');', 31, 0],
+      [TYPE.WORD, 'TEXT', 33, 0],
+      [TYPE.TAG, '/url', 38, 0, 37, 43],
+    ];
+
+    expect(tokens).toBeMatchOutput(output);
+  });
+
  test('single fake tag', () => {
    const input = '[ user=111]';
    const tokens = tokenize(input);
@@ -641,6 +641,28 @@ describe('Parser', () => {
    ]);
  });

+  test('parse url tag with fakeUnique', () => {
+    const ast = parse('[url=https://example.org/ fakeUnique=fakeUnique]T[/url]');
+
+    expect(ast).toBeMatchAST([
+      {
+        tag: 'url',
+        attrs: {
+          'https://example.org/ fakeUnique=fakeUnique': 'https://example.org/ fakeUnique=fakeUnique',
+        },
+        content: ['T'],
+        start: {
+          from: 0,
+          to: 48,
+        },
+        end: {
+          from: 49,
+          to: 55,
+        },
+      },
+    ]);
+  });
+
  test('parse triple nested tags', () => {
    const ast = parse(`this is outside [spoiler title="name with
      multiline