Fix scripting vulnerability in regex parsing (thanks zx2c4)

[blerg.git] / www / js / blerg.js

diff --git a/www/js/blerg.js b/www/js/blerg.js
index c5fd504..dcb5679 100644 (file)
--- a/www/js/blerg.js
+++ b/www/js/blerg.js
@@ -247,10 +247,10 @@ function mangleRecord(record, template) {
     record.data = record.data.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt');
 
     // Turn HTTP URLs into links
-    record.data = record.data.replace(/(\s|^)(https?:\/\/[a-zA-Z0-9.-]*[a-zA-Z0-9](\/(\S*[^.!,;?()\s])?)?)/g, '$1<a href="$2">$2</a>');
+    record.data = record.data.replace(/(\s|^)(https?:\/\/[a-zA-Z0-9.-]*[a-zA-Z0-9](\/([^\s"]*[^.!,;?()\s])?)?)/g, '$1<a href="$2">$2</a>');
 
     // Turn markdown links into links
-    record.data = record.data.replace(/(\s|^)\[([^\]]+)\]\((https?:\/\/[a-zA-Z0-9.-]*[a-zA-Z0-9](\/[^)]*?)?)\)/, '$1<a href="$3">$2</a>');
+    record.data = record.data.replace(/(\s|^)\[([^\]]+)\]\((https?:\/\/[a-zA-Z0-9.-]*[a-zA-Z0-9](\/[^)"]*?)?)\)/, '$1<a href="$3">$2</a>');
 
     // Turn *foo* into italics and **foo** into bold
     record.data = record.data.replace(/(\s)\*\*([^*]+)\*\*(\s)/, '$1<b>$2</b>$3');