[github/shaarli/Shaarli.git] / application / formatter / BookmarkMarkdownFormatter.php

<?php

namespace Shaarli\Formatter;

use Shaarli\Config\ConfigManager;
use Shaarli\Formatter\Parsedown\ShaarliParsedown;

/**
 * Class BookmarkMarkdownFormatter
 *
 * Format bookmark description into Markdown format.
 *
 * @package Shaarli\Formatter
 */
class BookmarkMarkdownFormatter extends BookmarkDefaultFormatter
{
    /**
     * When this tag is present in a bookmark, its description should not be processed with Markdown
     */
    public const NO_MD_TAG = 'nomarkdown';

    /** @var \Parsedown instance */
    protected $parsedown;

    /** @var bool used to escape HTML in Markdown or not.
     *            It MUST be set to true for shared instance as HTML content can
     *            introduce XSS vulnerabilities.
     */
    protected $escape;

    /**
     * @var array List of allowed protocols for links inside bookmark's description.
     */
    protected $allowedProtocols;

    /**
     * LinkMarkdownFormatter constructor.
     *
     * @param ConfigManager $conf instance
     * @param bool          $isLoggedIn
     */
    public function __construct(ConfigManager $conf, bool $isLoggedIn)
    {
        parent::__construct($conf, $isLoggedIn);

        $this->parsedown = new ShaarliParsedown();
        $this->escape = $conf->get('security.markdown_escape', true);
        $this->allowedProtocols = $conf->get('security.allowed_protocols', []);
    }

    /**
     * @inheritdoc
     */
    public function formatDescription($bookmark)
    {
        if (in_array(self::NO_MD_TAG, $bookmark->getTags())) {
            return parent::formatDescription($bookmark);
        }

        $processedDescription = $this->tokenizeSearchHighlightField(
            $bookmark->getDescription() ?? '',
            $bookmark->getAdditionalContentEntry('search_highlight')['description'] ?? []
        );
        $processedDescription = $this->filterProtocols($processedDescription);
        $processedDescription = $this->formatHashTags($processedDescription);
        $processedDescription = $this->reverseEscapedHtml($processedDescription);
        $processedDescription = $this->parsedown
            ->setMarkupEscaped($this->escape)
            ->setBreaksEnabled(true)
            ->text($processedDescription);
        $processedDescription = $this->sanitizeHtml($processedDescription);
        $processedDescription = $this->replaceTokens($processedDescription);

        if (!empty($processedDescription)) {
            $processedDescription = '<div class="markdown">' . $processedDescription . '</div>';
        }

        return $processedDescription;
    }

    /**
     * Remove the NO markdown tag if it is present
     *
     * @inheritdoc
     */
    protected function formatTagList($bookmark)
    {
        $out = parent::formatTagList($bookmark);
        if ($this->isLoggedIn === false && ($pos = array_search(self::NO_MD_TAG, $out)) !== false) {
            unset($out[$pos]);
            return array_values($out);
        }
        return $out;
    }

    /**
     * Replace not whitelisted protocols with http:// in given description.
     * Also adds `index_url` to relative links if it's specified
     *
     * @param string $description      input description text.
     *
     * @return string $description without malicious link.
     */
    protected function filterProtocols($description)
    {
        $allowedProtocols = $this->allowedProtocols;
        $indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : '';

        return preg_replace_callback(
            '#]\((.*?)\)#is',
            function ($match) use ($allowedProtocols, $indexUrl) {
                $link = startsWith($match[1], '?') || startsWith($match[1], '/') ? $indexUrl : '';
                $link .= whitelist_protocols($match[1], $allowedProtocols);
                return '](' . $link . ')';
            },
            $description
        );
    }

    /**
     * Replace hashtag in Markdown links format
     * E.g. `#hashtag` becomes `[#hashtag](./add-tag/hashtag)`
     * It includes the index URL if specified.
     *
     * @param string $description
     *
     * @return string
     */
    protected function formatHashTags($description)
    {
        $indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : '';
        $tokens = '(?:' . BookmarkDefaultFormatter::SEARCH_HIGHLIGHT_OPEN . ')' .
            '(?:' . BookmarkDefaultFormatter::SEARCH_HIGHLIGHT_CLOSE . ')'
        ;

        /*
         * To support unicode: http://stackoverflow.com/a/35498078/1484919
         * \p{Pc} - to match underscore
         * \p{N} - numeric character in any script
         * \p{L} - letter from any language
         * \p{Mn} - any non marking space (accents, umlauts, etc)
         */
        $regex = '/(^|\s)#([\p{Pc}\p{N}\p{L}\p{Mn}' . $tokens . ']+)/mui';
        $replacement = function (array $match) use ($indexUrl): string {
            $cleanMatch = str_replace(
                BookmarkDefaultFormatter::SEARCH_HIGHLIGHT_OPEN,
                '',
                str_replace(BookmarkDefaultFormatter::SEARCH_HIGHLIGHT_CLOSE, '', $match[2])
            );
            return $match[1] . '[#' . $match[2] . '](' . $indexUrl . './add-tag/' . $cleanMatch . ')';
        };

        $descriptionLines = explode(PHP_EOL, $description);
        $descriptionOut = '';
        $codeBlockOn = false;
        $lineCount = 0;

        foreach ($descriptionLines as $descriptionLine) {
            // Detect line of code: starting with 4 spaces,
            // except lists which can start with +/*/- or `2.` after spaces.
            $codeLineOn = preg_match('/^    +(?=[^\+\*\-])(?=(?!\d\.).)/', $descriptionLine) > 0;
            // Detect and toggle block of code
            if (!$codeBlockOn) {
                $codeBlockOn = preg_match('/^```/', $descriptionLine) > 0;
            } elseif (preg_match('/^```/', $descriptionLine) > 0) {
                $codeBlockOn = false;
            }

            if (!$codeBlockOn && !$codeLineOn) {
                $descriptionLine = preg_replace_callback($regex, $replacement, $descriptionLine);
            }

            $descriptionOut .= $descriptionLine;
            if ($lineCount++ < count($descriptionLines) - 1) {
                $descriptionOut .= PHP_EOL;
            }
        }

        return $descriptionOut;
    }

    /**
     * Remove dangerous HTML tags (tags, iframe, etc.).
     * Doesn't affect <code> content (already escaped by Parsedown).
     *
     * @param string $description input description text.
     *
     * @return string given string escaped.
     */
    protected function sanitizeHtml($description)
    {
        $escapeTags = [
            'script',
            'style',
            'link',
            'iframe',
            'frameset',
            'frame',
        ];
        foreach ($escapeTags as $tag) {
            $description = preg_replace_callback(
                '#<\s*' . $tag . '[^>]*>(.*</\s*' . $tag . '[^>]*>)?#is',
                function ($match) {
                    return escape($match[0]);
                },
                $description
            );
        }
        $description = preg_replace(
            '#(<[^>]+\s)on[a-z]*="?[^ "]*"?#is',
            '$1',
            $description
        );
        return $description;
    }

    protected function reverseEscapedHtml($description)
    {
        return unescape($description);
    }
}
Commit	Line	Data
	1	<?php
	2
	3	namespace Shaarli\Formatter;
	4
	5	use Shaarli\Config\ConfigManager;
	6	use Shaarli\Formatter\Parsedown\ShaarliParsedown;
	7
	8	/**
	9	* Class BookmarkMarkdownFormatter
	10	*
	11	* Format bookmark description into Markdown format.
	12	*
	13	* @package Shaarli\Formatter
	14	*/
	15	class BookmarkMarkdownFormatter extends BookmarkDefaultFormatter
	16	{
	17	/**
	18	* When this tag is present in a bookmark, its description should not be processed with Markdown
	19	*/
	20	public const NO_MD_TAG = 'nomarkdown';
	21
	22	/** @var \Parsedown instance */
	23	protected $parsedown;
	24
	25	/** @var bool used to escape HTML in Markdown or not.
	26	* It MUST be set to true for shared instance as HTML content can
	27	* introduce XSS vulnerabilities.
	28	*/
	29	protected $escape;
	30
	31	/**
	32	* @var array List of allowed protocols for links inside bookmark's description.
	33	*/
	34	protected $allowedProtocols;
	35
	36	/**
	37	* LinkMarkdownFormatter constructor.
	38	*
	39	* @param ConfigManager $conf instance
	40	* @param bool $isLoggedIn
	41	*/
	42	public function __construct(ConfigManager $conf, bool $isLoggedIn)
	43	{
	44	parent::__construct($conf, $isLoggedIn);
	45
	46	$this->parsedown = new ShaarliParsedown();
	47	$this->escape = $conf->get('security.markdown_escape', true);
	48	$this->allowedProtocols = $conf->get('security.allowed_protocols', []);
	49	}
	50
	51	/**
	52	* @inheritdoc
	53	*/
	54	public function formatDescription($bookmark)
	55	{
	56	if (in_array(self::NO_MD_TAG, $bookmark->getTags())) {
	57	return parent::formatDescription($bookmark);
	58	}
	59
	60	$processedDescription = $this->tokenizeSearchHighlightField(
	61	$bookmark->getDescription() ?? '',
	62	$bookmark->getAdditionalContentEntry('search_highlight')['description'] ?? []
	63	);
	64	$processedDescription = $this->filterProtocols($processedDescription);
	65	$processedDescription = $this->formatHashTags($processedDescription);
	66	$processedDescription = $this->reverseEscapedHtml($processedDescription);
	67	$processedDescription = $this->parsedown
	68	->setMarkupEscaped($this->escape)
	69	->setBreaksEnabled(true)
	70	->text($processedDescription);
	71	$processedDescription = $this->sanitizeHtml($processedDescription);
	72	$processedDescription = $this->replaceTokens($processedDescription);
	73
	74	if (!empty($processedDescription)) {
	75	$processedDescription = '<div class="markdown">' . $processedDescription . '</div>';
	76	}
	77
	78	return $processedDescription;
	79	}
	80
	81	/**
	82	* Remove the NO markdown tag if it is present
	83	*
	84	* @inheritdoc
	85	*/
	86	protected function formatTagList($bookmark)
	87	{
	88	$out = parent::formatTagList($bookmark);
	89	if ($this->isLoggedIn === false && ($pos = array_search(self::NO_MD_TAG, $out)) !== false) {
	90	unset($out[$pos]);
	91	return array_values($out);
	92	}
	93	return $out;
	94	}
	95
	96	/**
	97	* Replace not whitelisted protocols with http:// in given description.
	98	* Also adds `index_url` to relative links if it's specified
	99	*
	100	* @param string $description input description text.
	101	*
	102	* @return string $description without malicious link.
	103	*/
	104	protected function filterProtocols($description)
	105	{
	106	$allowedProtocols = $this->allowedProtocols;
	107	$indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : '';
	108
	109	return preg_replace_callback(
	110	'#]\((.*?)\)#is',
	111	function ($match) use ($allowedProtocols, $indexUrl) {
	112	$link = startsWith($match[1], '?') \|\| startsWith($match[1], '/') ? $indexUrl : '';
	113	$link .= whitelist_protocols($match[1], $allowedProtocols);
	114	return '](' . $link . ')';
	115	},
	116	$description
	117	);
	118	}
	119
	120	/**
	121	* Replace hashtag in Markdown links format
	122	* E.g. `#hashtag` becomes `[#hashtag](./add-tag/hashtag)`
	123	* It includes the index URL if specified.
	124	*
	125	* @param string $description
	126	*
	127	* @return string
	128	*/
	129	protected function formatHashTags($description)
	130	{
	131	$indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : '';
	132	$tokens = '(?:' . BookmarkDefaultFormatter::SEARCH_HIGHLIGHT_OPEN . ')' .
	133	'(?:' . BookmarkDefaultFormatter::SEARCH_HIGHLIGHT_CLOSE . ')'
	134	;
	135
	136	/*
	137	* To support unicode: http://stackoverflow.com/a/35498078/1484919
	138	* \p{Pc} - to match underscore
	139	* \p{N} - numeric character in any script
	140	* \p{L} - letter from any language
	141	* \p{Mn} - any non marking space (accents, umlauts, etc)
	142	*/
	143	$regex = '/(^\|\s)#([\p{Pc}\p{N}\p{L}\p{Mn}' . $tokens . ']+)/mui';
	144	$replacement = function (array $match) use ($indexUrl): string {
	145	$cleanMatch = str_replace(
	146	BookmarkDefaultFormatter::SEARCH_HIGHLIGHT_OPEN,
	147	'',
	148	str_replace(BookmarkDefaultFormatter::SEARCH_HIGHLIGHT_CLOSE, '', $match[2])
	149	);
	150	return $match[1] . '[#' . $match[2] . '](' . $indexUrl . './add-tag/' . $cleanMatch . ')';
	151	};
	152
	153	$descriptionLines = explode(PHP_EOL, $description);
	154	$descriptionOut = '';
	155	$codeBlockOn = false;
	156	$lineCount = 0;
	157
	158	foreach ($descriptionLines as $descriptionLine) {
	159	// Detect line of code: starting with 4 spaces,
	160	// except lists which can start with +/*/- or `2.` after spaces.
	161	$codeLineOn = preg_match('/^ +(?=[^\+\*\-])(?=(?!\d\.).)/', $descriptionLine) > 0;
	162	// Detect and toggle block of code
	163	if (!$codeBlockOn) {
	164	$codeBlockOn = preg_match('/^```/', $descriptionLine) > 0;
	165	} elseif (preg_match('/^```/', $descriptionLine) > 0) {
	166	$codeBlockOn = false;
	167	}
	168
	169	if (!$codeBlockOn && !$codeLineOn) {
	170	$descriptionLine = preg_replace_callback($regex, $replacement, $descriptionLine);
	171	}
	172
	173	$descriptionOut .= $descriptionLine;
	174	if ($lineCount++ < count($descriptionLines) - 1) {
	175	$descriptionOut .= PHP_EOL;
	176	}
	177	}
	178
	179	return $descriptionOut;
	180	}
	181
	182	/**
	183	* Remove dangerous HTML tags (tags, iframe, etc.).
	184	* Doesn't affect <code> content (already escaped by Parsedown).
	185	*
	186	* @param string $description input description text.
	187	*
	188	* @return string given string escaped.
	189	*/
	190	protected function sanitizeHtml($description)
	191	{
	192	$escapeTags = [
	193	'script',
	194	'style',
	195	'link',
	196	'iframe',
	197	'frameset',
	198	'frame',
	199	];
	200	foreach ($escapeTags as $tag) {
	201	$description = preg_replace_callback(
	202	'#<\s' . $tag . '[^>]>(.</\s' . $tag . '[^>]*>)?#is',
	203	function ($match) {
	204	return escape($match[0]);
	205	},
	206	$description
	207	);
	208	}
	209	$description = preg_replace(
	210	'#(<[^>]+\s)on[a-z]="?[^ "]"?#is',
	211	'$1',
	212	$description
	213	);
	214	return $description;
	215	}
	216
	217	protected function reverseEscapedHtml($description)
	218	{
	219	return unescape($description);
	220	}
	221	}