Fix escaping in autolinks, labels

Related to: aef5cce.

Author: wooorm

lib/handle/image-reference.js

@@ -10,13 +10,16 @@ function imageReference(node, _, context) {
   var subexit = context.enter('label')
   var alt = safe(context, node.alt, {before: '[', after: ']'})
   var reference
+  var currentStack
 
   subexit()
-
+  // Hide the fact that we’re in phrasing, because escapes don’t work.
+  currentStack = context.stack
+  context.stack = []
   subexit = context.enter('reference')
   reference = safe(context, association(node), {before: '[', after: ']'})
   subexit()
-
+  context.stack = currentStack
   exit()
 
   if (type !== 'full' && alt && alt === reference) {

lib/handle/link-reference.js

@@ -11,13 +11,16 @@ function linkReference(node, _, context) {
   var subexit = context.enter('label')
   var text = phrasing(node, context, {before: '[', after: ']'})
   var reference
+  var currentStack
 
   subexit()
-
+  // Hide the fact that we’re in phrasing, because escapes don’t work.
+  currentStack = context.stack
+  context.stack = []
   subexit = context.enter('reference')
   reference = safe(context, association(node), {before: '[', after: ']'})
   subexit()
-
+  context.stack = currentStack
   exit()
 
   if (type !== 'full' && text && text === reference) {

lib/handle/link.js

@@ -1,7 +1,6 @@
 module.exports = link
 link.peek = linkPeek
 
-var toString = require('mdast-util-to-string')
 var checkQuote = require('../util/check-quote')
 var formatLinkAsAutolink = require('../util/format-link-as-autolink')
 var phrasing = require('../util/container-phrasing')
@@ -22,7 +21,7 @@ function link(node, _, context) {
     currentStack = context.stack
     context.stack = []
     exit = context.enter('autolink')
-    value = '<' + toString(node) + '>'
+    value = '<' + phrasing(node, context, {before: '<', after: '>'}) + '>'
     exit()
     context.stack = currentStack
     return value

lib/unsafe.js

@@ -38,7 +38,7 @@ module.exports = [
   {atBreak: true, character: '#'},
   // Dollar sign and percentage are not used in markdown.
   // An ampersand could start a character reference.
-  {character: '&', after: '[#A-Za-z]'},
+  {character: '&', after: '[#A-Za-z]', inConstruct: 'phrasing'},
   // An apostrophe can break out of a title.
   {character: "'", inConstruct: 'titleApostrophe'},
   // A left paren could break out of a destination raw.

test.js

@@ -1151,12 +1151,17 @@ test('imageReference', function (t) {
 
   t.equal(
     to({
-      type: 'imageReference',
-      alt: '&a;',
-      identifier: '&b;',
-      referenceType: 'full'
+      type: 'paragraph',
+      children: [
+        {
+          type: 'imageReference',
+          alt: '&a;',
+          identifier: '&b;',
+          referenceType: 'full'
+        }
+      ]
     }),
-    '![\\&a;][\\&b;]\n',
+    '![\\&a;][&b;]\n',
     'should support incorrect character references'
   )
 
@@ -1513,12 +1518,17 @@ test('linkReference', function (t) {
 
   t.equal(
     to({
-      type: 'linkReference',
-      children: [{type: 'text', value: '&a;'}],
-      identifier: '&b;',
-      referenceType: 'full'
+      type: 'paragraph',
+      children: [
+        {
+          type: 'linkReference',
+          children: [{type: 'text', value: '&a;'}],
+          identifier: '&b;',
+          referenceType: 'full'
+        }
+      ]
     }),
-    '[\\&a;][\\&b;]\n',
+    '[\\&a;][&b;]\n',
     'should support incorrect character references'
   )
 
@@ -2467,5 +2477,18 @@ test('roundtrip', function (t) {
     'should roundtrip autolinks w/ potentially escapable characters'
   )
 
+  doc = [
+    'A [primary][toString], [secondary][constructor], and [tertiary][__proto__] link.',
+    '',
+    '[toString]: http://primary.com',
+    '',
+    '[__proto__]: http://tertiary.com',
+    '',
+    '[constructor]: http://secondary.com',
+    ''
+  ].join('\n')
+
+  t.equal(to(from(doc)), doc, 'should roundtrip potential prototype injections')
+
   t.end()
 })