[github/shaarli/Shaarli.git] / application / formatter / BookmarkMarkdownFormatter.php

<?php

namespace Shaarli\Formatter;

use Shaarli\Config\ConfigManager;

/**
 * Class BookmarkMarkdownFormatter
 *
 * Format bookmark description into Markdown format.
 *
 * @package Shaarli\Formatter
 */
class BookmarkMarkdownFormatter extends BookmarkDefaultFormatter
{
    /**
     * When this tag is present in a bookmark, its description should not be processed with Markdown
     */
    const NO_MD_TAG = 'nomarkdown';

    /** @var \Parsedown instance */
    protected $parsedown;

    /** @var bool used to escape HTML in Markdown or not.
     *            It MUST be set to true for shared instance as HTML content can
     *            introduce XSS vulnerabilities.
     */
    protected $escape;

    /**
     * @var array List of allowed protocols for links inside bookmark's description.
     */
    protected $allowedProtocols;

    /**
     * LinkMarkdownFormatter constructor.
     *
     * @param ConfigManager $conf instance
     * @param bool          $isLoggedIn
     */
    public function __construct(ConfigManager $conf, bool $isLoggedIn)
    {
        parent::__construct($conf, $isLoggedIn);

        $this->parsedown = new \Parsedown();
        $this->escape = $conf->get('security.markdown_escape', true);
        $this->allowedProtocols = $conf->get('security.allowed_protocols', []);
    }

    /**
     * @inheritdoc
     */
    public function formatDescription($bookmark)
    {
        if (in_array(self::NO_MD_TAG, $bookmark->getTags())) {
            return parent::formatDescription($bookmark);
        }

        $processedDescription = $bookmark->getDescription();
        $processedDescription = $this->filterProtocols($processedDescription);
        $processedDescription = $this->formatHashTags($processedDescription);
        $processedDescription = $this->reverseEscapedHtml($processedDescription);
        $processedDescription = $this->parsedown
            ->setMarkupEscaped($this->escape)
            ->setBreaksEnabled(true)
            ->text($processedDescription);
        $processedDescription = $this->sanitizeHtml($processedDescription);

        if (!empty($processedDescription)) {
            $processedDescription = '<div class="markdown">'. $processedDescription . '</div>';
        }

        return $processedDescription;
    }

    /**
     * Remove the NO markdown tag if it is present
     *
     * @inheritdoc
     */
    protected function formatTagList($bookmark)
    {
        $out = parent::formatTagList($bookmark);
        if ($this->isLoggedIn === false && ($pos = array_search(self::NO_MD_TAG, $out)) !== false) {
            unset($out[$pos]);
            return array_values($out);
        }
        return $out;
    }

    /**
     * Replace not whitelisted protocols with http:// in given description.
     * Also adds `index_url` to relative links if it's specified
     *
     * @param string $description      input description text.
     *
     * @return string $description without malicious link.
     */
    protected function filterProtocols($description)
    {
        $allowedProtocols = $this->allowedProtocols;
        $indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : '';

        return preg_replace_callback(
            '#]\((.*?)\)#is',
            function ($match) use ($allowedProtocols, $indexUrl) {
                $link = startsWith($match[1], '?') || startsWith($match[1], '/') ? $indexUrl : '';
                $link .= whitelist_protocols($match[1], $allowedProtocols);
                return ']('. $link.')';
            },
            $description
        );
    }

    /**
     * Replace hashtag in Markdown links format
     * E.g. `#hashtag` becomes `[#hashtag](./add-tag/hashtag)`
     * It includes the index URL if specified.
     *
     * @param string $description
     *
     * @return string
     */
    protected function formatHashTags($description)
    {
        $indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : '';

        /*
         * To support unicode: http://stackoverflow.com/a/35498078/1484919
         * \p{Pc} - to match underscore
         * \p{N} - numeric character in any script
         * \p{L} - letter from any language
         * \p{Mn} - any non marking space (accents, umlauts, etc)
         */
        $regex = '/(^|\s)#([\p{Pc}\p{N}\p{L}\p{Mn}]+)/mui';
        $replacement = '$1[#$2]('. $indexUrl .'./add-tag/$2)';

        $descriptionLines = explode(PHP_EOL, $description);
        $descriptionOut = '';
        $codeBlockOn = false;
        $lineCount = 0;

        foreach ($descriptionLines as $descriptionLine) {
            // Detect line of code: starting with 4 spaces,
            // except lists which can start with +/*/- or `2.` after spaces.
            $codeLineOn = preg_match('/^    +(?=[^\+\*\-])(?=(?!\d\.).)/', $descriptionLine) > 0;
            // Detect and toggle block of code
            if (!$codeBlockOn) {
                $codeBlockOn = preg_match('/^```/', $descriptionLine) > 0;
            } elseif (preg_match('/^```/', $descriptionLine) > 0) {
                $codeBlockOn = false;
            }

            if (!$codeBlockOn && !$codeLineOn) {
                $descriptionLine = preg_replace($regex, $replacement, $descriptionLine);
            }

            $descriptionOut .= $descriptionLine;
            if ($lineCount++ < count($descriptionLines) - 1) {
                $descriptionOut .= PHP_EOL;
            }
        }

        return $descriptionOut;
    }

    /**
     * Remove dangerous HTML tags (tags, iframe, etc.).
     * Doesn't affect <code> content (already escaped by Parsedown).
     *
     * @param string $description input description text.
     *
     * @return string given string escaped.
     */
    protected function sanitizeHtml($description)
    {
        $escapeTags = array(
            'script',
            'style',
            'link',
            'iframe',
            'frameset',
            'frame',
        );
        foreach ($escapeTags as $tag) {
            $description = preg_replace_callback(
                '#<\s*'. $tag .'[^>]*>(.*</\s*'. $tag .'[^>]*>)?#is',
                function ($match) {
                    return escape($match[0]);
                },
                $description
            );
        }
        $description = preg_replace(
            '#(<[^>]+\s)on[a-z]*="?[^ "]*"?#is',
            '$1',
            $description
        );
        return $description;
    }

    protected function reverseEscapedHtml($description)
    {
        return unescape($description);
    }
}
Commit	Line	Data
336a28fa A	1	<?php
	2
	3	namespace Shaarli\Formatter;
	4
	5	use Shaarli\Config\ConfigManager;
	6
	7	/**
	8	* Class BookmarkMarkdownFormatter
	9	*
	10	* Format bookmark description into Markdown format.
	11	*
	12	* @package Shaarli\Formatter
	13	*/
	14	class BookmarkMarkdownFormatter extends BookmarkDefaultFormatter
	15	{
	16	/**
	17	* When this tag is present in a bookmark, its description should not be processed with Markdown
	18	*/
	19	const NO_MD_TAG = 'nomarkdown';
	20
	21	/** @var \Parsedown instance */
	22	protected $parsedown;
	23
	24	/** @var bool used to escape HTML in Markdown or not.
	25	* It MUST be set to true for shared instance as HTML content can
	26	* introduce XSS vulnerabilities.
	27	*/
	28	protected $escape;
	29
	30	/**
	31	* @var array List of allowed protocols for links inside bookmark's description.
	32	*/
	33	protected $allowedProtocols;
	34
	35	/**
	36	* LinkMarkdownFormatter constructor.
	37	*
	38	* @param ConfigManager $conf instance
a39acb25	39	* @param bool $isLoggedIn
336a28fa	40	*/
a39acb25	41	public function __construct(ConfigManager $conf, bool $isLoggedIn)
336a28fa	42	{
a39acb25 A	43	parent::__construct($conf, $isLoggedIn);
a39acb25 A	44
336a28fa A	45	$this->parsedown = new \Parsedown();
	46	$this->escape = $conf->get('security.markdown_escape', true);
	47	$this->allowedProtocols = $conf->get('security.allowed_protocols', []);
	48	}
	49
	50	/**
	51	* @inheritdoc
	52	*/
	53	public function formatDescription($bookmark)
	54	{
	55	if (in_array(self::NO_MD_TAG, $bookmark->getTags())) {
	56	return parent::formatDescription($bookmark);
	57	}
	58
	59	$processedDescription = $bookmark->getDescription();
	60	$processedDescription = $this->filterProtocols($processedDescription);
	61	$processedDescription = $this->formatHashTags($processedDescription);
cf92b4dd	62	$processedDescription = $this->reverseEscapedHtml($processedDescription);
336a28fa A	63	$processedDescription = $this->parsedown
	64	->setMarkupEscaped($this->escape)
	65	->setBreaksEnabled(true)
	66	->text($processedDescription);
	67	$processedDescription = $this->sanitizeHtml($processedDescription);
	68
	69	if (!empty($processedDescription)) {
	70	$processedDescription = '<div class="markdown">'. $processedDescription . '</div>';
	71	}
	72
	73	return $processedDescription;
	74	}
	75
	76	/**
	77	* Remove the NO markdown tag if it is present
	78	*
	79	* @inheritdoc
	80	*/
	81	protected function formatTagList($bookmark)
	82	{
	83	$out = parent::formatTagList($bookmark);
a39acb25	84	if ($this->isLoggedIn === false && ($pos = array_search(self::NO_MD_TAG, $out)) !== false) {
336a28fa A	85	unset($out[$pos]);
	86	return array_values($out);
	87	}
	88	return $out;
	89	}
	90
	91	/**
	92	* Replace not whitelisted protocols with http:// in given description.
	93	* Also adds `index_url` to relative links if it's specified
	94	*
	95	* @param string $description input description text.
	96	*
	97	* @return string $description without malicious link.
	98	*/
	99	protected function filterProtocols($description)
	100	{
	101	$allowedProtocols = $this->allowedProtocols;
	102	$indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : '';
	103
	104	return preg_replace_callback(
	105	'#]\((.*?)\)#is',
	106	function ($match) use ($allowedProtocols, $indexUrl) {
	107	$link = startsWith($match[1], '?') \|\| startsWith($match[1], '/') ? $indexUrl : '';
	108	$link .= whitelist_protocols($match[1], $allowedProtocols);
	109	return ']('. $link.')';
	110	},
	111	$description
	112	);
	113	}
	114
	115	/**
	116	* Replace hashtag in Markdown links format
03340c18	117	* E.g. `#hashtag` becomes `[#hashtag](./add-tag/hashtag)`
336a28fa A	118	* It includes the index URL if specified.
	119	*
	120	* @param string $description
	121	*
	122	* @return string
	123	*/
	124	protected function formatHashTags($description)
	125	{
	126	$indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : '';
	127
	128	/*
	129	* To support unicode: http://stackoverflow.com/a/35498078/1484919
	130	* \p{Pc} - to match underscore
	131	* \p{N} - numeric character in any script
	132	* \p{L} - letter from any language
	133	* \p{Mn} - any non marking space (accents, umlauts, etc)
	134	*/
	135	$regex = '/(^\|\s)#([\p{Pc}\p{N}\p{L}\p{Mn}]+)/mui';
03340c18	136	$replacement = '$1[#$2]('. $indexUrl .'./add-tag/$2)';
336a28fa A	137
	138	$descriptionLines = explode(PHP_EOL, $description);
	139	$descriptionOut = '';
	140	$codeBlockOn = false;
	141	$lineCount = 0;
	142
	143	foreach ($descriptionLines as $descriptionLine) {
	144	// Detect line of code: starting with 4 spaces,
	145	// except lists which can start with +/*/- or `2.` after spaces.
	146	$codeLineOn = preg_match('/^ +(?=[^\+\*\-])(?=(?!\d\.).)/', $descriptionLine) > 0;
	147	// Detect and toggle block of code
	148	if (!$codeBlockOn) {
	149	$codeBlockOn = preg_match('/^```/', $descriptionLine) > 0;
	150	} elseif (preg_match('/^```/', $descriptionLine) > 0) {
	151	$codeBlockOn = false;
	152	}
	153
	154	if (!$codeBlockOn && !$codeLineOn) {
	155	$descriptionLine = preg_replace($regex, $replacement, $descriptionLine);
	156	}
	157
	158	$descriptionOut .= $descriptionLine;
	159	if ($lineCount++ < count($descriptionLines) - 1) {
	160	$descriptionOut .= PHP_EOL;
	161	}
	162	}
	163
	164	return $descriptionOut;
	165	}
	166
	167	/**
	168	* Remove dangerous HTML tags (tags, iframe, etc.).
	169	* Doesn't affect <code> content (already escaped by Parsedown).
	170	*
	171	* @param string $description input description text.
	172	*
	173	* @return string given string escaped.
	174	*/
	175	protected function sanitizeHtml($description)
	176	{
	177	$escapeTags = array(
	178	'script',
	179	'style',
	180	'link',
	181	'iframe',
	182	'frameset',
	183	'frame',
	184	);
	185	foreach ($escapeTags as $tag) {
	186	$description = preg_replace_callback(
	187	'#<\s'. $tag .'[^>]>(.</\s'. $tag .'[^>]*>)?#is',
	188	function ($match) {
	189	return escape($match[0]);
	190	},
	191	$description
	192	);
	193	}
	194	$description = preg_replace(
	195	'#(<[^>]+\s)on[a-z]="?[^ "]"?#is',
	196	'$1',
	197	$description
	198	);
	199	return $description;
	200	}
cf92b4dd A	201
	202	protected function reverseEscapedHtml($description)
	203	{
	204	return unescape($description);
	205	}
336a28fa	206	}