X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=plugins%2Fmarkdown%2Fmarkdown.php;h=6b4aabf3ae8ad6798ab40bb12ba8b499c7b13609;hb=50142efd1b4b826f60b1e5673dba5ccbe26e0108;hp=de7c823dfa4731c9d71a593db3f2a1530fb41d25;hpb=e03761011521929a375ebb56f21adacb226a3a8d;p=github%2Fshaarli%2FShaarli.git diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index de7c823d..6b4aabf3 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php @@ -26,7 +26,11 @@ function hook_markdown_render_linklist($data, $conf) $value = stripNoMarkdownTag($value); continue; } - $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); + $value['description'] = process_markdown( + $value['description'], + $conf->get('security.markdown_escape', true), + $conf->get('security.allowed_protocols') + ); } return $data; } @@ -46,7 +50,11 @@ function hook_markdown_render_feed($data, $conf) $value = stripNoMarkdownTag($value); continue; } - $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); + $value['description'] = process_markdown( + $value['description'], + $conf->get('security.markdown_escape', true), + $conf->get('security.allowed_protocols') + ); } return $data; @@ -62,18 +70,18 @@ function hook_markdown_render_feed($data, $conf) */ function hook_markdown_render_daily($data, $conf) { + //var_dump($data);die; // Manipulate columns data - foreach ($data['cols'] as &$value) { - foreach ($value as &$value2) { - if (!empty($value2['tags']) && noMarkdownTag($value2['tags'])) { - $value2 = stripNoMarkdownTag($value2); - continue; - } - $value2['formatedDescription'] = process_markdown( - $value2['formatedDescription'], - $conf->get('security.markdown_escape', true) - ); + foreach ($data['linksToDisplay'] as &$value) { + if (!empty($value['tags']) && noMarkdownTag($value['tags'])) { + $value = stripNoMarkdownTag($value); + continue; } + $value['formatedDescription'] = process_markdown( + $value['formatedDescription'], + $conf->get('security.markdown_escape', true), + $conf->get('security.allowed_protocols') + ); } return $data; @@ -127,7 +135,7 @@ function hook_markdown_render_includes($data) || $data['_PAGE_'] == Router::$PAGE_DAILY || $data['_PAGE_'] == Router::$PAGE_EDITLINK ) { - + $data['css_files'][] = PluginManager::$PLUGINS_PATH . '/markdown/markdown.css'; } @@ -145,8 +153,13 @@ function hook_markdown_render_includes($data) function hook_markdown_render_editlink($data) { // Load help HTML into a string - $data['edit_link_plugin'][] = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html'); - + $txt = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html'); + $translations = [ + t('Description will be rendered with'), + t('Markdown syntax documentation'), + t('Markdown syntax'), + ]; + $data['edit_link_plugin'][] = vsprintf($txt, $translations); // Add no markdown 'meta-tag' in tag list if it was never used, for autocompletion. if (! in_array(NO_MD_TAG, $data['tags'])) { $data['tags'][NO_MD_TAG] = 0; @@ -231,6 +244,25 @@ function reverse_space2nbsp($description) return preg_replace('/(^| ) /m', '$1 ', $description); } +/** + * Replace not whitelisted protocols with http:// in given description. + * + * @param string $description input description text. + * @param array $allowedProtocols list of allowed protocols. + * + * @return string $description without malicious link. + */ +function filter_protocols($description, $allowedProtocols) +{ + return preg_replace_callback( + '#]\((.*?)\)#is', + function ($match) use ($allowedProtocols) { + return ']('. whitelist_protocols($match[1], $allowedProtocols) .')'; + }, + $description + ); +} + /** * Remove dangerous HTML tags (tags, iframe, etc.). * Doesn't affect content (already escaped by Parsedown). @@ -275,7 +307,7 @@ function sanitize_html($description) * * @return string HTML processed $description. */ -function process_markdown($description, $escape = true) +function process_markdown($description, $escape = true, $allowedProtocols = []) { $parsedown = new Parsedown(); @@ -283,6 +315,7 @@ function process_markdown($description, $escape = true) $processedDescription = reverse_nl2br($processedDescription); $processedDescription = reverse_space2nbsp($processedDescription); $processedDescription = reverse_text2clickable($processedDescription); + $processedDescription = filter_protocols($processedDescription, $allowedProtocols); $processedDescription = unescape($processedDescription); $processedDescription = $parsedown ->setMarkupEscaped($escape) @@ -296,3 +329,15 @@ function process_markdown($description, $escape = true) return $processedDescription; } + +/** + * This function is never called, but contains translation calls for GNU gettext extraction. + */ +function markdown_dummy_translation() +{ + // meta + t('Render shaare description with Markdown syntax.
Warning: +If your shaared descriptions contained HTML tags before enabling the markdown plugin, +enabling it might break your page. +See the README.'); +}