]>
Commit | Line | Data |
---|---|---|
336a28fa A |
1 | <?php |
2 | ||
3 | namespace Shaarli\Formatter; | |
4 | ||
5 | use Shaarli\Config\ConfigManager; | |
6 | ||
7 | /** | |
8 | * Class BookmarkMarkdownFormatter | |
9 | * | |
10 | * Format bookmark description into Markdown format. | |
11 | * | |
12 | * @package Shaarli\Formatter | |
13 | */ | |
14 | class BookmarkMarkdownFormatter extends BookmarkDefaultFormatter | |
15 | { | |
16 | /** | |
17 | * When this tag is present in a bookmark, its description should not be processed with Markdown | |
18 | */ | |
b99e00f7 | 19 | public const NO_MD_TAG = 'nomarkdown'; |
336a28fa A |
20 | |
21 | /** @var \Parsedown instance */ | |
22 | protected $parsedown; | |
23 | ||
24 | /** @var bool used to escape HTML in Markdown or not. | |
25 | * It MUST be set to true for shared instance as HTML content can | |
26 | * introduce XSS vulnerabilities. | |
27 | */ | |
28 | protected $escape; | |
29 | ||
30 | /** | |
31 | * @var array List of allowed protocols for links inside bookmark's description. | |
32 | */ | |
33 | protected $allowedProtocols; | |
34 | ||
35 | /** | |
36 | * LinkMarkdownFormatter constructor. | |
37 | * | |
38 | * @param ConfigManager $conf instance | |
a39acb25 | 39 | * @param bool $isLoggedIn |
336a28fa | 40 | */ |
a39acb25 | 41 | public function __construct(ConfigManager $conf, bool $isLoggedIn) |
336a28fa | 42 | { |
a39acb25 A |
43 | parent::__construct($conf, $isLoggedIn); |
44 | ||
336a28fa A |
45 | $this->parsedown = new \Parsedown(); |
46 | $this->escape = $conf->get('security.markdown_escape', true); | |
47 | $this->allowedProtocols = $conf->get('security.allowed_protocols', []); | |
48 | } | |
49 | ||
50 | /** | |
51 | * @inheritdoc | |
52 | */ | |
53 | public function formatDescription($bookmark) | |
54 | { | |
55 | if (in_array(self::NO_MD_TAG, $bookmark->getTags())) { | |
56 | return parent::formatDescription($bookmark); | |
57 | } | |
58 | ||
4e3875c0 A |
59 | $processedDescription = $this->tokenizeSearchHighlightField( |
60 | $bookmark->getDescription() ?? '', | |
61 | $bookmark->getAdditionalContentEntry('search_highlight')['description'] ?? [] | |
62 | ); | |
336a28fa A |
63 | $processedDescription = $this->filterProtocols($processedDescription); |
64 | $processedDescription = $this->formatHashTags($processedDescription); | |
cf92b4dd | 65 | $processedDescription = $this->reverseEscapedHtml($processedDescription); |
336a28fa A |
66 | $processedDescription = $this->parsedown |
67 | ->setMarkupEscaped($this->escape) | |
68 | ->setBreaksEnabled(true) | |
69 | ->text($processedDescription); | |
70 | $processedDescription = $this->sanitizeHtml($processedDescription); | |
4e3875c0 | 71 | $processedDescription = $this->replaceTokens($processedDescription); |
336a28fa A |
72 | |
73 | if (!empty($processedDescription)) { | |
53054b2b | 74 | $processedDescription = '<div class="markdown">' . $processedDescription . '</div>'; |
336a28fa A |
75 | } |
76 | ||
77 | return $processedDescription; | |
78 | } | |
79 | ||
80 | /** | |
81 | * Remove the NO markdown tag if it is present | |
82 | * | |
83 | * @inheritdoc | |
84 | */ | |
85 | protected function formatTagList($bookmark) | |
86 | { | |
87 | $out = parent::formatTagList($bookmark); | |
a39acb25 | 88 | if ($this->isLoggedIn === false && ($pos = array_search(self::NO_MD_TAG, $out)) !== false) { |
336a28fa A |
89 | unset($out[$pos]); |
90 | return array_values($out); | |
91 | } | |
92 | return $out; | |
93 | } | |
94 | ||
95 | /** | |
96 | * Replace not whitelisted protocols with http:// in given description. | |
97 | * Also adds `index_url` to relative links if it's specified | |
98 | * | |
99 | * @param string $description input description text. | |
100 | * | |
101 | * @return string $description without malicious link. | |
102 | */ | |
103 | protected function filterProtocols($description) | |
104 | { | |
105 | $allowedProtocols = $this->allowedProtocols; | |
106 | $indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : ''; | |
107 | ||
108 | return preg_replace_callback( | |
109 | '#]\((.*?)\)#is', | |
110 | function ($match) use ($allowedProtocols, $indexUrl) { | |
111 | $link = startsWith($match[1], '?') || startsWith($match[1], '/') ? $indexUrl : ''; | |
112 | $link .= whitelist_protocols($match[1], $allowedProtocols); | |
53054b2b | 113 | return '](' . $link . ')'; |
336a28fa A |
114 | }, |
115 | $description | |
116 | ); | |
117 | } | |
118 | ||
119 | /** | |
120 | * Replace hashtag in Markdown links format | |
03340c18 | 121 | * E.g. `#hashtag` becomes `[#hashtag](./add-tag/hashtag)` |
336a28fa A |
122 | * It includes the index URL if specified. |
123 | * | |
124 | * @param string $description | |
125 | * | |
126 | * @return string | |
127 | */ | |
128 | protected function formatHashTags($description) | |
129 | { | |
130 | $indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : ''; | |
131 | ||
132 | /* | |
133 | * To support unicode: http://stackoverflow.com/a/35498078/1484919 | |
134 | * \p{Pc} - to match underscore | |
135 | * \p{N} - numeric character in any script | |
136 | * \p{L} - letter from any language | |
137 | * \p{Mn} - any non marking space (accents, umlauts, etc) | |
138 | */ | |
139 | $regex = '/(^|\s)#([\p{Pc}\p{N}\p{L}\p{Mn}]+)/mui'; | |
53054b2b | 140 | $replacement = '$1[#$2](' . $indexUrl . './add-tag/$2)'; |
336a28fa A |
141 | |
142 | $descriptionLines = explode(PHP_EOL, $description); | |
143 | $descriptionOut = ''; | |
144 | $codeBlockOn = false; | |
145 | $lineCount = 0; | |
146 | ||
147 | foreach ($descriptionLines as $descriptionLine) { | |
148 | // Detect line of code: starting with 4 spaces, | |
149 | // except lists which can start with +/*/- or `2.` after spaces. | |
150 | $codeLineOn = preg_match('/^ +(?=[^\+\*\-])(?=(?!\d\.).)/', $descriptionLine) > 0; | |
151 | // Detect and toggle block of code | |
152 | if (!$codeBlockOn) { | |
153 | $codeBlockOn = preg_match('/^```/', $descriptionLine) > 0; | |
154 | } elseif (preg_match('/^```/', $descriptionLine) > 0) { | |
155 | $codeBlockOn = false; | |
156 | } | |
157 | ||
158 | if (!$codeBlockOn && !$codeLineOn) { | |
159 | $descriptionLine = preg_replace($regex, $replacement, $descriptionLine); | |
160 | } | |
161 | ||
162 | $descriptionOut .= $descriptionLine; | |
163 | if ($lineCount++ < count($descriptionLines) - 1) { | |
164 | $descriptionOut .= PHP_EOL; | |
165 | } | |
166 | } | |
167 | ||
168 | return $descriptionOut; | |
169 | } | |
170 | ||
171 | /** | |
172 | * Remove dangerous HTML tags (tags, iframe, etc.). | |
173 | * Doesn't affect <code> content (already escaped by Parsedown). | |
174 | * | |
175 | * @param string $description input description text. | |
176 | * | |
177 | * @return string given string escaped. | |
178 | */ | |
179 | protected function sanitizeHtml($description) | |
180 | { | |
53054b2b | 181 | $escapeTags = [ |
336a28fa A |
182 | 'script', |
183 | 'style', | |
184 | 'link', | |
185 | 'iframe', | |
186 | 'frameset', | |
187 | 'frame', | |
53054b2b | 188 | ]; |
336a28fa A |
189 | foreach ($escapeTags as $tag) { |
190 | $description = preg_replace_callback( | |
53054b2b | 191 | '#<\s*' . $tag . '[^>]*>(.*</\s*' . $tag . '[^>]*>)?#is', |
336a28fa A |
192 | function ($match) { |
193 | return escape($match[0]); | |
194 | }, | |
195 | $description | |
196 | ); | |
197 | } | |
198 | $description = preg_replace( | |
199 | '#(<[^>]+\s)on[a-z]*="?[^ "]*"?#is', | |
200 | '$1', | |
201 | $description | |
202 | ); | |
203 | return $description; | |
204 | } | |
cf92b4dd A |
205 | |
206 | protected function reverseEscapedHtml($description) | |
207 | { | |
208 | return unescape($description); | |
209 | } | |
336a28fa | 210 | } |