require_once 'Parsedown.php';
+/*
+ * If this tag is used on a shaare, the description won't be processed by Parsedown.
+ * Using a private tag so it won't appear for visitors.
+ */
+define('NO_MD_TAG', '.nomarkdown');
+
/**
* Parse linklist descriptions.
*
function hook_markdown_render_linklist($data)
{
foreach ($data['links'] as &$value) {
+ if (!empty($value['tags']) && noMarkdownTag($value['tags'])) {
+ continue;
+ }
$value['description'] = process_markdown($value['description']);
}
// Manipulate columns data
foreach ($data['cols'] as &$value) {
foreach ($value as &$value2) {
+ if (!empty($value2['tags']) && noMarkdownTag($value2['tags'])) {
+ continue;
+ }
$value2['formatedDescription'] = process_markdown($value2['formatedDescription']);
}
}
return $data;
}
+/**
+ * Check if noMarkdown is set in tags.
+ *
+ * @param string $tags tag list
+ *
+ * @return bool true if markdown should be disabled on this link.
+ */
+function noMarkdownTag($tags)
+{
+ return strpos($tags, NO_MD_TAG) !== false;
+}
+
/**
* When link list is displayed, include markdown CSS.
*
{
// Load help HTML into a string
$data['edit_link_plugin'][] = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html');
+
+ // Add no markdown 'meta-tag' in tag list if it was never used, for autocompletion.
+ if (! in_array(NO_MD_TAG, $data['tags'])) {
+ $data['tags'][NO_MD_TAG] = 0;
+ }
+
return $data;
}
}
/**
- * Remove '>' at start of line auto generated by Shaarli core system
- * to allow markdown blockquotes.
+ * Remove dangerous HTML tags (tags, iframe, etc.).
+ * Doesn't affect <code> content (already escaped by Parsedown).
*
* @param string $description input description text.
*
- * @return string $description without HTML links.
+ * @return string given string escaped.
*/
-function reset_quote_tags($description)
+function sanitize_html($description)
{
- return preg_replace('/^( *)> /m', '$1> ', $description);
+ $escapeTags = array(
+ 'script',
+ 'style',
+ 'link',
+ 'iframe',
+ 'frameset',
+ 'frame',
+ );
+ foreach ($escapeTags as $tag) {
+ $description = preg_replace_callback(
+ '#<\s*'. $tag .'[^>]*>(.*</\s*'. $tag .'[^>]*>)?#is',
+ function ($match) { return escape($match[0]); },
+ $description);
+ }
+ $description = preg_replace(
+ '#(<[^>]+)on[a-z]*="[^"]*"#is',
+ '$1',
+ $description);
+ return $description;
}
/**
* Render shaare contents through Markdown parser.
* 1. Remove HTML generated by Shaarli core.
- * 2. Generate markdown descriptions.
- * 3. Wrap description in 'markdown' CSS class.
+ * 2. Reverse the escape function.
+ * 3. Generate markdown descriptions.
+ * 4. Sanitize sensible HTML tags for security.
+ * 5. Wrap description in 'markdown' CSS class.
*
* @param string $description input description text.
*
$processedDescription = reverse_text2clickable($processedDescription);
$processedDescription = reverse_nl2br($processedDescription);
$processedDescription = reverse_space2nbsp($processedDescription);
- $processedDescription = reset_quote_tags($processedDescription);
+ $processedDescription = unescape($processedDescription);
$processedDescription = $parsedown
->setMarkupEscaped(false)
->setBreaksEnabled(true)
->text($processedDescription);
- $processedDescription = '<div class="markdown">'. $processedDescription . '</div>';
+ $processedDescription = sanitize_html($processedDescription);
+
+ if(!empty($processedDescription)){
+ $processedDescription = '<div class="markdown">'. $processedDescription . '</div>';
+ }
return $processedDescription;
}