content (already escaped by Parsedown).
*
* @param string $description input description text.
*
- * @return string $description without HTML links.
+ * @return string given string escaped.
*/
-function reset_quote_tags($description)
+function sanitize_html($description)
{
- return preg_replace('/^( *)> /m', '$1> ', $description);
+ $escapeTags = array(
+ 'script',
+ 'style',
+ 'link',
+ 'iframe',
+ 'frameset',
+ 'frame',
+ );
+ foreach ($escapeTags as $tag) {
+ $description = preg_replace_callback(
+ '#<\s*'. $tag .'[^>]*>(.*\s*'. $tag .'[^>]*>)?#is',
+ function ($match) { return escape($match[0]); },
+ $description);
+ }
+ $description = preg_replace(
+ '#(<[^>]+\s)on[a-z]*="?[^ "]*"?#is',
+ '$1',
+ $description);
+ return $description;
}
/**
* Render shaare contents through Markdown parser.
* 1. Remove HTML generated by Shaarli core.
- * 2. Generate markdown descriptions.
- * 3. Wrap description in 'markdown' CSS class.
+ * 2. Reverse the escape function.
+ * 3. Generate markdown descriptions.
+ * 4. Sanitize sensible HTML tags for security.
+ * 5. Wrap description in 'markdown' CSS class.
*
* @param string $description input description text.
+ * @param bool $escape escape HTML entities
*
* @return string HTML processed $description.
*/
-function process_markdown($description)
+function process_markdown($description, $escape = true, $allowedProtocols = [])
{
$parsedown = new Parsedown();
$processedDescription = $description;
- $processedDescription = reverse_text2clickable($processedDescription);
$processedDescription = reverse_nl2br($processedDescription);
$processedDescription = reverse_space2nbsp($processedDescription);
- $processedDescription = reset_quote_tags($processedDescription);
+ $processedDescription = reverse_text2clickable($processedDescription);
+ $processedDescription = filter_protocols($processedDescription, $allowedProtocols);
+ $processedDescription = unescape($processedDescription);
$processedDescription = $parsedown
- ->setMarkupEscaped(false)
+ ->setMarkupEscaped($escape)
->setBreaksEnabled(true)
->text($processedDescription);
- $processedDescription = ''. $processedDescription . '
';
+ $processedDescription = sanitize_html($processedDescription);
+
+ if(!empty($processedDescription)){
+ $processedDescription = ''. $processedDescription . '
';
+ }
return $processedDescription;
}
+
+/**
+ * This function is never called, but contains translation calls for GNU gettext extraction.
+ */
+function markdown_dummy_translation()
+{
+ // meta
+ t('Render shaare description with Markdown syntax.
Warning:
+If your shaared descriptions contained HTML tags before enabling the markdown plugin,
+enabling it might break your page.
+See the README.');
+}