Merge pull request #495 from aidantwoods/anti-xss

Prevent various XSS attacks [rebase and update of #276]

.gitattributes

@@ -0,0 +1,5 @@
+# Ignore all tests for archive
+/test               export-ignore
+/.gitattributes     export-ignore
+/.travis.yml        export-ignore
+/phpunit.xml.dist   export-ignore

.travis.yml

@@ -1,10 +1,27 @@
 language: php
 
-php:
-  - 5.6
-  - 5.5
-  - 5.4
-  - 5.3
-  - 5.2
-  - hhvm
-  
+dist: trusty
+sudo: false
+
+matrix:
+  include:
+    - php: 5.3
+      dist: precise
+    - php: 5.4
+    - php: 5.5
+    - php: 5.6
+    - php: 7.0
+    - php: 7.1
+    - php: nightly
+    - php: hhvm
+    - php: hhvm-nightly
+  fast_finish: true
+  allow_failures:
+    - php: nightly
+    - php: hhvm-nightly
+
+before_script:
+  - composer install --prefer-dist --no-interaction --no-progress
+
+script:
+  - vendor/bin/phpunit

LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2013 Emanuil Rusev, erusev.com
+Copyright (c) 2013-2018 Emanuil Rusev, erusev.com
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in
@@ -17,4 +17,4 @@ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
 FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
 COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,17 +1,26 @@
+> I also make [Caret](https://caret.io?ref=parsedown) - a Markdown editor for Mac and PC.
+
 ## Parsedown
 
-Better [Markdown](http://en.wikipedia.org/wiki/Markdown) parser for PHP.
+[![Build Status](https://img.shields.io/travis/erusev/parsedown/master.svg?style=flat-square)](https://travis-ci.org/erusev/parsedown)
+<!--[![Total Downloads](http://img.shields.io/packagist/dt/erusev/parsedown.svg?style=flat-square)](https://packagist.org/packages/erusev/parsedown)-->
 
-- [Demo](http://parsedown.org/demo)
-- [Tests](http://parsedown.org/tests/)
+Better Markdown Parser in PHP
+
+[Demo](http://parsedown.org/demo) |
+[Benchmarks](http://parsedown.org/speed) |
+[Tests](http://parsedown.org/tests/) |
+[Documentation](https://github.com/erusev/parsedown/wiki/)
 
 ### Features
 
-* [Fast](http://parsedown.org/speed)
-* [Consistent](http://parsedown.org/consistency)
-* [GitHub Flavored](https://help.github.com/articles/github-flavored-markdown)
-* [Tested](https://travis-ci.org/erusev/parsedown) in PHP 5.2, 5.3, 5.4, 5.5, 5.6 and [hhvm](http://www.hhvm.com/)
+* One File
+* No Dependencies
+* Super Fast
 * Extensible
+* [GitHub flavored](https://help.github.com/articles/github-flavored-markdown)
+* Tested in 5.3 to 7.1 and in HHVM
+* [Markdown Extra extension](https://github.com/erusev/parsedown-extra)
 
 ### Installation
 
@@ -24,3 +33,29 @@ $Parsedown = new Parsedown();
 
 echo $Parsedown->text('Hello _Parsedown_!'); # prints: <p>Hello <em>Parsedown</em>!</p>
 ```
+
+More examples in [the wiki](https://github.com/erusev/parsedown/wiki/) and in [this video tutorial](http://youtu.be/wYZBY8DEikI).
+
+### Security
+
+Parsedown does not sanitize the HTML that it generates. When you deal with untrusted content (ex: user comments) you should also use a HTML sanitizer like [HTML Purifier](http://htmlpurifier.org/).
+
+### Questions
+
+**How does Parsedown work?**
+
+It tries to read Markdown like a human. First, it looks at the lines. It’s interested in how the lines start. This helps it recognise blocks. It knows, for example, that if a line starts with a `-` then perhaps it belongs to a list. Once it recognises the blocks, it continues to the content. As it reads, it watches out for special characters. This helps it recognise inline elements (or inlines).
+
+We call this approach "line based". We believe that Parsedown is the first Markdown parser to use it. Since the release of Parsedown, other developers have used the same approach to develop other Markdown parsers in PHP and in other languages.
+
+**Is it compliant with CommonMark?**
+
+It passes most of the CommonMark tests. Most of the tests that don't pass deal with cases that are quite uncommon. Still, as CommonMark matures, compliance should improve.
+
+**Who uses it?**
+
+[phpDocumentor](http://www.phpdoc.org/), [October CMS](http://octobercms.com/), [Bolt CMS](http://bolt.cm/), [Kirby CMS](http://getkirby.com/), [Grav CMS](http://getgrav.org/), [Statamic CMS](http://www.statamic.com/), [Herbie CMS](http://www.getherbie.org/), [RaspberryPi.org](http://www.raspberrypi.org/), [Symfony demo](https://github.com/symfony/symfony-demo) and [more](https://packagist.org/packages/erusev/parsedown/dependents).
+
+**How can I help?**
+
+Use it, star it, share it and if you feel generous, [donate](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=528P3NZQMP8N2).

composer.json

@@ -12,7 +12,13 @@
             "homepage": "http://erusev.com"
         }
     ],
+    "require": {
+        "php": ">=5.3.0"
+    },
+    "require-dev": {
+        "phpunit/phpunit": "^4.8.35"
+    },
     "autoload": {
         "psr-0": {"Parsedown": ""}
     }
-}
+}

phpunit.xml.dist

@@ -2,7 +2,7 @@
 <phpunit bootstrap="test/bootstrap.php" colors="true">
 	<testsuites>
 		<testsuite>
-			<file>test/Test.php</file>
+			<file>test/ParsedownTest.php</file>
 		</testsuite>
 	</testsuites>
-</phpunit>
+</phpunit>

test/CommonMarkTest.php

@@ -0,0 +1,77 @@
+<?php
+
+/**
+ * Test Parsedown against the CommonMark spec.
+ *
+ * Some code based on the original JavaScript test runner by jgm.
+ *
+ * @link http://commonmark.org/ CommonMark
+ * @link http://git.io/8WtRvQ JavaScript test runner
+ */
+
+use PHPUnit\Framework\TestCase;
+
+class CommonMarkTest extends TestCase
+{
+    const SPEC_URL = 'https://raw.githubusercontent.com/jgm/stmd/master/spec.txt';
+
+    /**
+     * @dataProvider data
+     * @param $section
+     * @param $markdown
+     * @param $expectedHtml
+     */
+    function test_($section, $markdown, $expectedHtml)
+    {
+        $Parsedown = new Parsedown();
+        $Parsedown->setUrlsLinked(false);
+
+        $actualHtml = $Parsedown->text($markdown);
+        $actualHtml = $this->normalizeMarkup($actualHtml);
+
+        $this->assertEquals($expectedHtml, $actualHtml);
+    }
+
+    function data()
+    {
+        $spec = file_get_contents(self::SPEC_URL);
+        $spec = strstr($spec, '<!-- END TESTS -->', true);
+
+        $tests = array();
+        $currentSection = '';
+
+        preg_replace_callback(
+            '/^\.\n([\s\S]*?)^\.\n([\s\S]*?)^\.$|^#{1,6} *(.*)$/m',
+            function($matches) use ( & $tests, & $currentSection, & $testCount) {
+                if (isset($matches[3]) and $matches[3]) {
+                    $currentSection = $matches[3];
+                } else {
+                    $testCount++;
+                    $markdown = $matches[1];
+                    $markdown = preg_replace('/→/', "\t", $markdown);
+                    $expectedHtml = $matches[2];
+                    $expectedHtml = $this->normalizeMarkup($expectedHtml);
+                    $tests []= array(
+                        $currentSection, # section
+                        $markdown, # markdown
+                        $expectedHtml, # html
+                    );
+                }
+            },
+            $spec
+        );
+
+        return $tests;
+    }
+
+    private function normalizeMarkup($markup)
+    {
+        $markup = preg_replace("/\n+/", "\n", $markup);
+        $markup = preg_replace('/^\s+/m', '', $markup);
+        $markup = preg_replace('/^((?:<[\w]+>)+)\n/m', '$1', $markup);
+        $markup = preg_replace('/\n((?:<\/[\w]+>)+)$/m', '$1', $markup);
+        $markup = trim($markup);
+
+        return $markup;
+    }
+}

test/ParsedownTest.php

@@ -0,0 +1,163 @@
+<?php
+
+use PHPUnit\Framework\TestCase;
+
+class ParsedownTest extends TestCase
+{
+    final function __construct($name = null, array $data = array(), $dataName = '')
+    {
+        $this->dirs = $this->initDirs();
+        $this->Parsedown = $this->initParsedown();
+
+        parent::__construct($name, $data, $dataName);
+    }
+
+    private $dirs, $Parsedown;
+
+    /**
+     * @return array
+     */
+    protected function initDirs()
+    {
+        $dirs []= dirname(__FILE__).'/data/';
+
+        return $dirs;
+    }
+
+    /**
+     * @return Parsedown
+     */
+    protected function initParsedown()
+    {
+        $Parsedown = new Parsedown();
+
+        return $Parsedown;
+    }
+
+    /**
+     * @dataProvider data
+     * @param $test
+     * @param $dir
+     */
+    function test_($test, $dir)
+    {
+        $markdown = file_get_contents($dir . $test . '.md');
+
+        $expectedMarkup = file_get_contents($dir . $test . '.html');
+
+        $expectedMarkup = str_replace("\r\n", "\n", $expectedMarkup);
+        $expectedMarkup = str_replace("\r", "\n", $expectedMarkup);
+
+        $this->Parsedown->setSafeMode(substr($test, 0, 3) === 'xss');
+
+        $actualMarkup = $this->Parsedown->text($markdown);
+
+        $this->assertEquals($expectedMarkup, $actualMarkup);
+    }
+
+    function data()
+    {
+        $data = array();
+
+        foreach ($this->dirs as $dir)
+        {
+            $Folder = new DirectoryIterator($dir);
+
+            foreach ($Folder as $File)
+            {
+                /** @var $File DirectoryIterator */
+
+                if ( ! $File->isFile())
+                {
+                    continue;
+                }
+
+                $filename = $File->getFilename();
+
+                $extension = pathinfo($filename, PATHINFO_EXTENSION);
+
+                if ($extension !== 'md')
+                {
+                    continue;
+                }
+
+                $basename = $File->getBasename('.md');
+
+                if (file_exists($dir . $basename . '.html'))
+                {
+                    $data []= array($basename, $dir);
+                }
+            }
+        }
+
+        return $data;
+    }
+
+    public function test_no_markup()
+    {
+        $markdownWithHtml = <<<MARKDOWN_WITH_MARKUP
+<div>_content_</div>
+
+sparse:
+
+<div>
+<div class="inner">
+_content_
+</div>
+</div>
+
+paragraph
+
+<style type="text/css">
+    p {
+        color: red;
+    }
+</style>
+
+comment
+
+<!-- html comment -->
+MARKDOWN_WITH_MARKUP;
+
+        $expectedHtml = <<<EXPECTED_HTML
+<p>&lt;div&gt;<em>content</em>&lt;/div&gt;</p>
+<p>sparse:</p>
+<p>&lt;div&gt;
+&lt;div class=&quot;inner&quot;&gt;
+<em>content</em>
+&lt;/div&gt;
+&lt;/div&gt;</p>
+<p>paragraph</p>
+<p>&lt;style type=&quot;text/css&quot;&gt;
+p {
+color: red;
+}
+&lt;/style&gt;</p>
+<p>comment</p>
+<p>&lt;!-- html comment --&gt;</p>
+EXPECTED_HTML;
+        $parsedownWithNoMarkup = new Parsedown();
+        $parsedownWithNoMarkup->setMarkupEscaped(true);
+        $this->assertEquals($expectedHtml, $parsedownWithNoMarkup->text($markdownWithHtml));
+    }
+
+    public function testLateStaticBinding()
+    {
+        include __DIR__ . '/TestParsedown.php';
+
+        $parsedown = Parsedown::instance();
+        $this->assertInstanceOf('Parsedown', $parsedown);
+
+        // After instance is already called on Parsedown
+        // subsequent calls with the same arguments return the same instance
+        $sameParsedown = TestParsedown::instance();
+        $this->assertInstanceOf('Parsedown', $sameParsedown);
+        $this->assertSame($parsedown, $sameParsedown);
+
+        $testParsedown = TestParsedown::instance('test late static binding');
+        $this->assertInstanceOf('TestParsedown', $testParsedown);
+
+        $sameInstanceAgain = TestParsedown::instance('test late static binding');
+        $this->assertSame($testParsedown, $sameInstanceAgain);
+    }
+}

test/Test.php

@@ -1,65 +0,0 @@
-<?php
-
-class Test extends PHPUnit_Framework_TestCase
-{
-    public function __construct($name = null, array $data = array(), $dataName = '')
-    {
-        $this->dataDir = dirname(__FILE__).'/data/';
-
-        parent::__construct($name, $data, $dataName);
-    }
-
-    private $dataDir;
-
-    /**
-     * @dataProvider data
-     */
-    function test_($filename)
-    {
-        $markdown = file_get_contents($this->dataDir . $filename . '.md');
-
-        $expectedMarkup = file_get_contents($this->dataDir . $filename . '.html');
-
-        $expectedMarkup = str_replace("\r\n", "\n", $expectedMarkup);
-        $expectedMarkup = str_replace("\r", "\n", $expectedMarkup);
-
-        $actualMarkup = Parsedown::instance()->text($markdown);
-
-        $this->assertEquals($expectedMarkup, $actualMarkup);
-    }
-
-    function data()
-    {
-        $data = array();
-
-        $Folder = new DirectoryIterator($this->dataDir);
-
-        foreach ($Folder as $File)
-        {
-            /** @var $File DirectoryIterator */
-
-            if ( ! $File->isFile())
-            {
-                continue;
-            }
-
-            $filename = $File->getFilename();
-
-            $extension = pathinfo($filename, PATHINFO_EXTENSION);
-
-            if ($extension !== 'md')
-            {
-                continue;
-            }
-
-            $basename = $File->getBasename('.md');
-
-            if (file_exists($this->dataDir . $basename . '.html'))
-            {
-                $data []= array($basename);
-            }
-        }
-
-        return $data;
-    }
-}

test/TestParsedown.php

@@ -0,0 +1,5 @@
+<?php
+
+class TestParsedown extends Parsedown
+{
+}

test/bootstrap.php

@@ -1,3 +1,3 @@
 <?php
 
-include 'Parsedown.php';
+include 'Parsedown.php';

test/data/aligned_table.html

@@ -1,21 +1,21 @@
 <table>
 <thead>
 <tr>
-<th align="left">header 1</th>
-<th align="center">header 2</th>
-<th align="right">header 2</th>
+<th style="text-align: left;">header 1</th>
+<th style="text-align: center;">header 2</th>
+<th style="text-align: right;">header 2</th>
 </tr>
 </thead>
 <tbody>
 <tr>
-<td align="left">cell 1.1</td>
-<td align="center">cell 1.2</td>
-<td align="right">cell 1.3</td>
+<td style="text-align: left;">cell 1.1</td>
+<td style="text-align: center;">cell 1.2</td>
+<td style="text-align: right;">cell 1.3</td>
 </tr>
 <tr>
-<td align="left">cell 2.1</td>
-<td align="center">cell 2.2</td>
-<td align="right">cell 2.3</td>
+<td style="text-align: left;">cell 2.1</td>
+<td style="text-align: center;">cell 2.2</td>
+<td style="text-align: right;">cell 2.3</td>
 </tr>
 </tbody>
 </table>

test/data/atx_heading.html

@@ -4,5 +4,6 @@
 <h4>h4</h4>
 <h5>h5</h5>
 <h6>h6</h6>
+<p>####### not a heading</p>
 <h1>closed h1</h1>
 <p>#</p>

test/data/atx_heading.md

@@ -10,6 +10,8 @@
 
 ###### h6
 
+####### not a heading
+
 # closed h1 #
 
 #

test/data/block-level_html.html

@@ -1,5 +1,12 @@
 <div>_content_</div>
-<p>sparse:</p>
+<p>paragraph</p>
 <div>
-_content_
-</div>
+  <div class="inner">
+    _content_
+  </div>
+</div>
+<style type="text/css">
+  p {color: #789;}
+</style>
+<div>
+  <a href="/">home</a></div>

test/data/block-level_html.md

@@ -1,7 +1,16 @@
 <div>_content_</div>
 
-sparse:
+paragraph
 
 <div>
-_content_
-</div>
+  <div class="inner">
+    _content_
+  </div>
+</div>
+
+<style type="text/css">
+  p {color: #789;}
+</style>
+
+<div>
+  <a href="/">home</a></div>

test/data/escaping.html

@@ -1,4 +1,6 @@
 <p>escaped *emphasis*.</p>
 <p><code>escaped \*emphasis\* in a code span</code></p>
 <pre><code>escaped \*emphasis\* in a code block</code></pre>
-<p>\ ` * _ { } [ ] ( ) > # + - . !</p>
+<p>\ ` * _ { } [ ] ( ) > # + - . !</p>
+<p><em>one_two</em> <strong>one_two</strong></p>
+<p><em>one*two</em> <strong>one*two</strong></p>

test/data/escaping.md

@@ -4,4 +4,8 @@ escaped \*emphasis\*.
 
     escaped \*emphasis\* in a code block
 
-\\ \` \* \_ \{ \} \[ \] \( \) \> \# \+ \- \. \!
+\\ \` \* \_ \{ \} \[ \] \( \) \> \# \+ \- \. \!
+
+_one\_two_ __one\_two__
+
+*one\*two* **one\*two**

test/data/html_comment.html

@@ -0,0 +1,5 @@
+<!-- single line -->
+<p>paragraph</p>
+<!-- 
+  multiline -->
+<p>paragraph</p>

test/data/html_comment.md

@@ -0,0 +1,8 @@
+<!-- single line -->
+
+paragraph
+
+<!-- 
+  multiline -->
+
+paragraph

test/data/html_simple.html

@@ -1,28 +0,0 @@
-<p>Headings:</p>
-<h2 id="overview">Overview</h2>
-<p>blah</p>
-<H2 id="block">Block Elements</H2>
-<p>blah</p>
-<h3 id="span">
-      Span Elements
-</h3>
-<p>blah</p>
-<p>Hr's:</p>
-<hr>
-<p>blah</p>
-<hr/>
-<p>blah</p>
-<hr />
-<p>blah</p>
-<hr>   
-<p>blah</p>
-<hr/>  
-<p>blah</p>
-<hr /> 
-<p>blah</p>
-<hr class="foo" id="bar" />
-<p>blah</p>
-<hr class="foo" id="bar"/>
-<p>blah</p>
-<hr class="foo" id="bar" >
-<p>blah</p>

test/data/html_simple.md

@@ -1,39 +0,0 @@
-Headings:
-
-<h2 id="overview">Overview</h2>
-blah
-<H2 id="block">Block Elements</H2>
-blah
-<h3 id="span">
-      Span Elements
-</h3>
-blah
-
-Hr's:
-
-<hr>
-blah
-
-<hr/>
-blah
-
-<hr />
-blah
-
-<hr>   
-blah
-
-<hr/>  
-blah
-
-<hr /> 
-blah
-
-<hr class="foo" id="bar" />
-blah
-
-<hr class="foo" id="bar"/>
-blah
-
-<hr class="foo" id="bar" >
-blah

test/data/image_reference.html

@@ -1 +1,2 @@
-<p><img alt="Markdown Logo" src="/md.png" /></p>
+<p><img src="/md.png" alt="Markdown Logo" /></p>
+<p>![missing reference]</p>

test/data/image_reference.md

@@ -1,3 +1,5 @@
 ![Markdown Logo][image]
 
 [image]: /md.png
+
+![missing reference]

test/data/image_title.html

@@ -1 +1,2 @@
-<p><img alt="alt" src="/md.png" title="title" /></p>
+<p><img src="/md.png" alt="alt" title="title" /></p>
+<p><img src="/md.png" alt="blank title" title="" /></p>

test/data/image_title.md

@@ -1 +1,3 @@
-![alt](/md.png "title")
+![alt](/md.png "title")
+
+![blank title](/md.png "")

test/data/implicit_reference.html

@@ -1,3 +1,4 @@
 <p>an <a href="http://example.com">implicit</a> reference link</p>
 <p>an <a href="http://example.com">implicit</a> reference link with an empty link definition</p>
+<p>an <a href="http://example.com">implicit</a> reference link followed by <a href="http://cnn.com">another</a></p>
 <p>an <a href="http://example.com" title="Example">explicit</a> reference link with a title</p>

test/data/implicit_reference.md

@@ -4,6 +4,10 @@ an [implicit] reference link
 
 an [implicit][] reference link with an empty link definition
 
+an [implicit][] reference link followed by [another][]
+
+[another]: http://cnn.com
+
 an [explicit][example] reference link with a title
 
 [example]: http://example.com "Example"

test/data/inline_link_title.html

@@ -1 +1,6 @@
-<p><a href="http://example.com" title="Title">single quotes</a> and <a href="http://example.com" title="Title">double quotes</a></p>
+<p><a href="http://example.com" title="Title">single quotes</a></p>
+<p><a href="http://example.com" title="Title">double quotes</a></p>
+<p><a href="http://example.com" title="">single quotes blank</a></p>
+<p><a href="http://example.com" title="">double quotes blank</a></p>
+<p><a href="http://example.com" title="2 Words">space</a></p>
+<p><a href="http://example.com/url-(parentheses)" title="Title">parentheses</a></p>

test/data/inline_link_title.md

@@ -1 +1,11 @@
-[single quotes](http://example.com 'Title') and [double quotes](http://example.com "Title")
+[single quotes](http://example.com 'Title')
+
+[double quotes](http://example.com "Title")
+
+[single quotes blank](http://example.com '')
+
+[double quotes blank](http://example.com "")
+
+[space](http://example.com "2 Words")
+
+[parentheses](http://example.com/url-(parentheses) "Title")

test/data/lazy_blockquote.html

@@ -1,4 +1,6 @@
 <blockquote>
 <p>quote
 the rest of it</p>
+<p>another paragraph
+the rest of it</p>
 </blockquote>

test/data/lazy_blockquote.md

@@ -1,2 +1,5 @@
 > quote
+the rest of it
+
+> another paragraph
 the rest of it

test/data/ordered_list.html

@@ -8,6 +8,6 @@
 <li>two</li>
 </ol>
 <p>large numbers:</p>
-<ol>
+<ol start="123">
 <li>one</li>
 </ol>

test/data/self-closing_block-level_html.html

@@ -1,4 +0,0 @@
-<hr />
-<p>attributes:</p>
-<hr style="background: #9bd;" />
-<p>...</p>

test/data/self-closing_block-level_html.md

@@ -1,7 +0,0 @@
-<hr />
-
-attributes:
-
-<hr style="background: #9bd;" />
-
-...

test/data/self-closing_html.html

@@ -0,0 +1,12 @@
+<hr>
+<p>paragraph</p>
+<hr/>
+<p>paragraph</p>
+<hr />
+<p>paragraph</p>
+<hr class="foo" id="bar" />
+<p>paragraph</p>
+<hr class="foo" id="bar"/>
+<p>paragraph</p>
+<hr class="foo" id="bar" >
+<p>paragraph</p>

test/data/self-closing_html.md

@@ -0,0 +1,12 @@
+<hr>
+paragraph
+<hr/>
+paragraph
+<hr />
+paragraph
+<hr class="foo" id="bar" />
+paragraph
+<hr class="foo" id="bar"/>
+paragraph
+<hr class="foo" id="bar" >
+paragraph

test/data/simple_table.html

@@ -20,17 +20,17 @@
 <table>
 <thead>
 <tr>
-<th align="left">header 1</th>
+<th style="text-align: left;">header 1</th>
 <th>header 2</th>
 </tr>
 </thead>
 <tbody>
 <tr>
-<td align="left">cell 1.1</td>
+<td style="text-align: left;">cell 1.1</td>
 <td>cell 1.2</td>
 </tr>
 <tr>
-<td align="left">cell 2.1</td>
+<td style="text-align: left;">cell 2.1</td>
 <td>cell 2.2</td>
 </tr>
 </tbody>

test/data/span-level_html.html

@@ -1,4 +1,5 @@
 <p>an <b>important</b> <a href=''>link</a></p>
 <p>broken<br/>
 line</p>
-<p><b>inline tag</b> at the beginning</p>
+<p><b>inline tag</b> at the beginning</p>
+<p><span><a href="http://example.com">http://example.com</a></span></p>

test/data/span-level_html.md

@@ -3,4 +3,6 @@ an <b>important</b> <a href=''>link</a>
 broken<br/>
 line
 
-<b>inline tag</b> at the beginning
+<b>inline tag</b> at the beginning
+
+<span>http://example.com</span>

test/data/sparse_html.html

@@ -0,0 +1,8 @@
+<div>
+line 1
+
+line 2
+line 3
+
+line 4
+</div>

test/data/sparse_html.md

@@ -0,0 +1,8 @@
+<div>
+line 1
+
+line 2
+line 3
+
+line 4
+</div>

test/data/special_characters.html

@@ -1,6 +1,6 @@
 <p>AT&amp;T has an ampersand in their name</p>
 <p>this &amp; that</p>
-<p>4 &lt; 5 and 6 > 5</p>
+<p>4 &lt; 5 and 6 &gt; 5</p>
 <p><a href="http://example.com/autolink?a=1&amp;b=2">http://example.com/autolink?a=1&amp;b=2</a></p>
 <p><a href="/script?a=1&amp;b=2">inline link</a></p>
 <p><a href="http://example.com/?a=1&amp;b=2">reference link</a></p>

test/data/table_inline_markdown.html

@@ -11,8 +11,12 @@
 <td><del>cell</del> 1.2</td>
 </tr>
 <tr>
-<td><code>cell</code> 2.1</td>
-<td>cell 2.2</td>
+<td><code>|</code> 2.1</td>
+<td>| 2.2</td>
+</tr>
+<tr>
+<td><code>\|</code> 2.1</td>
+<td><a href="/">link</a></td>
 </tr>
 </tbody>
 </table>

test/data/table_inline_markdown.md

@@ -1,4 +1,5 @@
 | _header_ 1   | header 2     |
 | ------------ | ------------ |
 | _cell_ 1.1   | ~~cell~~ 1.2 |
-| `cell` 2.1   | cell 2.2     |
+| `|` 2.1      | \| 2.2       |
+| `\|` 2.1     | [link](/)    |

test/data/xss_attribute_encoding.html

@@ -0,0 +1,6 @@
+<p><a href="https://www.example.com&quot;">xss</a></p>
+<p><img src="https://www.example.com&quot;" alt="xss" /></p>
+<p><a href="https://www.example.com&#039;">xss</a></p>
+<p><img src="https://www.example.com&#039;" alt="xss" /></p>
+<p><img src="https://www.example.com" alt="xss&quot;" /></p>
+<p><img src="https://www.example.com" alt="xss&#039;" /></p>

test/data/xss_attribute_encoding.md

@@ -0,0 +1,11 @@
+[xss](https://www.example.com")
+
+![xss](https://www.example.com")
+
+[xss](https://www.example.com')
+
+![xss](https://www.example.com')
+
+![xss"](https://www.example.com)
+
+![xss'](https://www.example.com)

test/data/xss_bad_url.html

@@ -0,0 +1,16 @@
+<p><a href="javascript%3Aalert(1)">xss</a></p>
+<p><a href="javascript%3Aalert(1)">xss</a></p>
+<p><a href="javascript%3A//alert(1)">xss</a></p>
+<p><a href="javascript&amp;colon;alert(1)">xss</a></p>
+<p><img src="javascript%3Aalert(1)" alt="xss" /></p>
+<p><img src="javascript%3Aalert(1)" alt="xss" /></p>
+<p><img src="javascript%3A//alert(1)" alt="xss" /></p>
+<p><img src="javascript&amp;colon;alert(1)" alt="xss" /></p>
+<p><a href="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><a href="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><a href="data%3A//text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><a href="data&amp;colon;text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><img src="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
+<p><img src="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
+<p><img src="data%3A//text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
+<p><img src="data&amp;colon;text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>

test/data/xss_bad_url.md

@@ -0,0 +1,31 @@
+[xss](javascript:alert(1))
+
+[xss]( javascript:alert(1))
+
+[xss](javascript://alert(1))
+
+[xss](javascript:alert(1))
+
+![xss](javascript:alert(1))
+
+![xss]( javascript:alert(1))
+
+![xss](javascript://alert(1))
+
+![xss](javascript:alert(1))
+
+[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+[xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+[xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+![xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+![xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)

test/data/xss_text_encoding.html

@@ -0,0 +1,7 @@
+<p>&lt;script&gt;alert(1)&lt;/script&gt;</p>
+<p>&lt;script&gt;</p>
+<p>alert(1)</p>
+<p>&lt;/script&gt;</p>
+<p>&lt;script&gt;
+alert(1)
+&lt;/script&gt;</p>

test/data/xss_text_encoding.md

@@ -0,0 +1,12 @@
+<script>alert(1)</script>
+
+<script>
+
+alert(1)
+
+</script>
+
+
+<script>
+alert(1)
+</script>