From: VirtualTam Date: Wed, 8 Mar 2017 19:38:41 +0000 (+0100) Subject: security: escape HTML entities when using Markdown X-Git-Tag: v0.7.1~1^2 X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=refs%2Fpull%2F795%2Fhead;p=github%2Fshaarli%2FShaarli.git security: escape HTML entities when using Markdown Adapted from https://github.com/shaarli/Shaarli/pull/785 Signed-off-by: VirtualTam --- diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index 57fcce32..9d073fbd 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php @@ -218,7 +218,7 @@ function process_markdown($description) $processedDescription = reverse_space2nbsp($processedDescription); $processedDescription = unescape($processedDescription); $processedDescription = $parsedown - ->setMarkupEscaped(false) + ->setMarkupEscaped(true) ->setBreaksEnabled(true) ->text($processedDescription); $processedDescription = sanitize_html($processedDescription); diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php index fa7e1d52..67bf8968 100644 --- a/tests/plugins/PluginMarkdownTest.php +++ b/tests/plugins/PluginMarkdownTest.php @@ -149,4 +149,22 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase $data = hook_markdown_render_daily($data); $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']); } + + /** + * Make sure that the HTML tags are escaped. + */ + public function testMarkdownWithHtmlEscape() + { + $md = '**strong** strong'; + $html = '

strong <strong>strong</strong>

'; + $data = array( + 'links' => array( + 0 => array( + 'description' => $md, + ), + ), + ); + $data = hook_markdown_render_linklist($data); + $this->assertEquals($html, $data['links'][0]['description']); + } }