X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=plugins%2Fmarkdown%2Fmarkdown.php;h=08e64dae087e1a9828bd23d8c0f54680c485e263;hb=e95247d41dbe3b46c83d97f2a9d0e7bd1194bf08;hp=3630ef14aa91540a0b06d4c965806fe3390be746;hpb=268a2e52659964fb7d033a1bb4d1490bf8cc49bf;p=github%2Fshaarli%2FShaarli.git
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php
index 3630ef14..08e64dae 100644
--- a/plugins/markdown/markdown.php
+++ b/plugins/markdown/markdown.php
@@ -6,19 +6,59 @@
* Shaare's descriptions are parsed with Markdown.
*/
-require_once 'Parsedown.php';
+use Shaarli\Config\ConfigManager;
+
+/*
+ * If this tag is used on a shaare, the description won't be processed by Parsedown.
+ */
+define('NO_MD_TAG', 'nomarkdown');
/**
* Parse linklist descriptions.
*
+ * @param array $data linklist data.
+ * @param ConfigManager $conf instance.
+ *
+ * @return mixed linklist data parsed in markdown (and converted to HTML).
+ */
+function hook_markdown_render_linklist($data, $conf)
+{
+ foreach ($data['links'] as &$value) {
+ if (!empty($value['tags']) && noMarkdownTag($value['tags'])) {
+ $value = stripNoMarkdownTag($value);
+ continue;
+ }
+ $value['description_src'] = $value['description'];
+ $value['description'] = process_markdown(
+ $value['description'],
+ $conf->get('security.markdown_escape', true),
+ $conf->get('security.allowed_protocols')
+ );
+ }
+ return $data;
+}
+
+/**
+ * Parse feed linklist descriptions.
+ *
* @param array $data linklist data.
+ * @param ConfigManager $conf instance.
*
* @return mixed linklist data parsed in markdown (and converted to HTML).
*/
-function hook_markdown_render_linklist($data)
+function hook_markdown_render_feed($data, $conf)
{
foreach ($data['links'] as &$value) {
- $value['description'] = process_markdown($value['description']);
+ if (!empty($value['tags']) && noMarkdownTag($value['tags'])) {
+ $value = stripNoMarkdownTag($value);
+ continue;
+ }
+ $value['description'] = reverse_feed_permalink($value['description']);
+ $value['description'] = process_markdown(
+ $value['description'],
+ $conf->get('security.markdown_escape', true),
+ $conf->get('security.allowed_protocols')
+ );
}
return $data;
@@ -27,22 +67,65 @@ function hook_markdown_render_linklist($data)
/**
* Parse daily descriptions.
*
- * @param array $data daily data.
+ * @param array $data daily data.
+ * @param ConfigManager $conf instance.
*
* @return mixed daily data parsed in markdown (and converted to HTML).
*/
-function hook_markdown_render_daily($data)
+function hook_markdown_render_daily($data, $conf)
{
+ //var_dump($data);die;
// Manipulate columns data
- foreach ($data['cols'] as &$value) {
- foreach ($value as &$value2) {
- $value2['formatedDescription'] = process_markdown($value2['formatedDescription']);
+ foreach ($data['linksToDisplay'] as &$value) {
+ if (!empty($value['tags']) && noMarkdownTag($value['tags'])) {
+ $value = stripNoMarkdownTag($value);
+ continue;
}
+ $value['formatedDescription'] = process_markdown(
+ $value['formatedDescription'],
+ $conf->get('security.markdown_escape', true),
+ $conf->get('security.allowed_protocols')
+ );
}
return $data;
}
+/**
+ * Check if noMarkdown is set in tags.
+ *
+ * @param string $tags tag list
+ *
+ * @return bool true if markdown should be disabled on this link.
+ */
+function noMarkdownTag($tags)
+{
+ return preg_match('/(^|\s)'. NO_MD_TAG .'(\s|$)/', $tags);
+}
+
+/**
+ * Remove the no-markdown meta tag so it won't be displayed.
+ *
+ * @param array $link Link data.
+ *
+ * @return array Updated link without no markdown tag.
+ */
+function stripNoMarkdownTag($link)
+{
+ if (! empty($link['taglist'])) {
+ $offset = array_search(NO_MD_TAG, $link['taglist']);
+ if ($offset !== false) {
+ unset($link['taglist'][$offset]);
+ }
+ }
+
+ if (!empty($link['tags'])) {
+ str_replace(NO_MD_TAG, '', $link['tags']);
+ }
+
+ return $link;
+}
+
/**
* When link list is displayed, include markdown CSS.
*
@@ -56,7 +139,7 @@ function hook_markdown_render_includes($data)
|| $data['_PAGE_'] == Router::$PAGE_DAILY
|| $data['_PAGE_'] == Router::$PAGE_EDITLINK
) {
-
+
$data['css_files'][] = PluginManager::$PLUGINS_PATH . '/markdown/markdown.css';
}
@@ -74,7 +157,18 @@ function hook_markdown_render_includes($data)
function hook_markdown_render_editlink($data)
{
// Load help HTML into a string
- $data['edit_link_plugin'][] = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html');
+ $txt = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html');
+ $translations = [
+ t('Description will be rendered with'),
+ t('Markdown syntax documentation'),
+ t('Markdown syntax'),
+ ];
+ $data['edit_link_plugin'][] = vsprintf($txt, $translations);
+ // Add no markdown 'meta-tag' in tag list if it was never used, for autocompletion.
+ if (! in_array(NO_MD_TAG, $data['tags'])) {
+ $data['tags'][NO_MD_TAG] = 0;
+ }
+
return $data;
}
@@ -89,7 +183,54 @@ function hook_markdown_render_editlink($data)
*/
function reverse_text2clickable($description)
{
- return preg_replace('![^ ]+!m', '$1', $description);
+ $descriptionLines = explode(PHP_EOL, $description);
+ $descriptionOut = '';
+ $codeBlockOn = false;
+ $lineCount = 0;
+
+ foreach ($descriptionLines as $descriptionLine) {
+ // Detect line of code: starting with 4 spaces,
+ // except lists which can start with +/*/- or `2.` after spaces.
+ $codeLineOn = preg_match('/^ +(?=[^\+\*\-])(?=(?!\d\.).)/', $descriptionLine) > 0;
+ // Detect and toggle block of code
+ if (!$codeBlockOn) {
+ $codeBlockOn = preg_match('/^```/', $descriptionLine) > 0;
+ }
+ elseif (preg_match('/^```/', $descriptionLine) > 0) {
+ $codeBlockOn = false;
+ }
+
+ $hashtagTitle = ' title="Hashtag [^"]+"';
+ // Reverse `inline code` hashtags.
+ $descriptionLine = preg_replace(
+ '!(`[^`\n]*)([^<]+)([^`\n]*`)!m',
+ '$1$2$3',
+ $descriptionLine
+ );
+
+ // Reverse all links in code blocks, only non hashtag elsewhere.
+ $hashtagFilter = (!$codeBlockOn && !$codeLineOn) ? '(?!'. $hashtagTitle .')': '(?:'. $hashtagTitle .')?';
+ $descriptionLine = preg_replace(
+ '#([^<]+)#m',
+ '$1',
+ $descriptionLine
+ );
+
+ // Make hashtag links markdown ready, otherwise the links will be ignored with escape set to true
+ if (!$codeBlockOn && !$codeLineOn) {
+ $descriptionLine = preg_replace(
+ '#([^<]+)#m',
+ '[$2]($1)',
+ $descriptionLine
+ );
+ }
+
+ $descriptionOut .= $descriptionLine;
+ if ($lineCount++ < count($descriptionLines) - 1) {
+ $descriptionOut .= PHP_EOL;
+ }
+ }
+ return $descriptionOut;
}
/**
@@ -116,43 +257,105 @@ function reverse_space2nbsp($description)
return preg_replace('/(^| ) /m', '$1 ', $description);
}
+function reverse_feed_permalink($description)
+{
+ return preg_replace('@— (\w+)$@im', '— [$2]($1)', $description);
+}
+
+/**
+ * Replace not whitelisted protocols with http:// in given description.
+ *
+ * @param string $description input description text.
+ * @param array $allowedProtocols list of allowed protocols.
+ *
+ * @return string $description without malicious link.
+ */
+function filter_protocols($description, $allowedProtocols)
+{
+ return preg_replace_callback(
+ '#]\((.*?)\)#is',
+ function ($match) use ($allowedProtocols) {
+ return ']('. whitelist_protocols($match[1], $allowedProtocols) .')';
+ },
+ $description
+ );
+}
+
/**
- * Remove '>' at start of line auto generated by Shaarli core system
- * to allow markdown blockquotes.
+ * Remove dangerous HTML tags (tags, iframe, etc.).
+ * Doesn't affect content (already escaped by Parsedown).
*
* @param string $description input description text.
*
- * @return string $description without HTML links.
+ * @return string given string escaped.
*/
-function reset_quote_tags($description)
+function sanitize_html($description)
{
- return preg_replace('/^( *)> /m', '$1> ', $description);
+ $escapeTags = array(
+ 'script',
+ 'style',
+ 'link',
+ 'iframe',
+ 'frameset',
+ 'frame',
+ );
+ foreach ($escapeTags as $tag) {
+ $description = preg_replace_callback(
+ '#<\s*'. $tag .'[^>]*>(.*]*>)?#is',
+ function ($match) { return escape($match[0]); },
+ $description);
+ }
+ $description = preg_replace(
+ '#(<[^>]+\s)on[a-z]*="?[^ "]*"?#is',
+ '$1',
+ $description);
+ return $description;
}
/**
* Render shaare contents through Markdown parser.
* 1. Remove HTML generated by Shaarli core.
- * 2. Generate markdown descriptions.
- * 3. Wrap description in 'markdown' CSS class.
+ * 2. Reverse the escape function.
+ * 3. Generate markdown descriptions.
+ * 4. Sanitize sensible HTML tags for security.
+ * 5. Wrap description in 'markdown' CSS class.
*
* @param string $description input description text.
+ * @param bool $escape escape HTML entities
*
* @return string HTML processed $description.
*/
-function process_markdown($description)
+function process_markdown($description, $escape = true, $allowedProtocols = [])
{
$parsedown = new Parsedown();
$processedDescription = $description;
- $processedDescription = reverse_text2clickable($processedDescription);
$processedDescription = reverse_nl2br($processedDescription);
$processedDescription = reverse_space2nbsp($processedDescription);
- $processedDescription = reset_quote_tags($processedDescription);
+ $processedDescription = reverse_text2clickable($processedDescription);
+ $processedDescription = filter_protocols($processedDescription, $allowedProtocols);
+ $processedDescription = unescape($processedDescription);
$processedDescription = $parsedown
- ->setMarkupEscaped(false)
+ ->setMarkupEscaped($escape)
->setBreaksEnabled(true)
->text($processedDescription);
- $processedDescription = ''. $processedDescription . '
';
+ $processedDescription = sanitize_html($processedDescription);
+
+ if(!empty($processedDescription)){
+ $processedDescription = ''. $processedDescription . '
';
+ }
return $processedDescription;
}
+
+/**
+ * This function is never called, but contains translation calls for GNU gettext extraction.
+ */
+function markdown_dummy_translation()
+{
+ // meta
+ t('Render shaare description with Markdown syntax.
Warning:
+If your shaared descriptions contained HTML tags before enabling the markdown plugin,
+enabling it might break your page.
+See the README.');
+}