diff options
author | VirtualTam <virtualtam@flibidi.net> | 2017-03-08 20:38:41 +0100 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2017-03-08 20:38:41 +0100 |
commit | 1328d222680edf2ebdaea5624a7496240bd075f0 (patch) | |
tree | d515b37130d6ea07ff3ecccf9d6dd5a2ebf83ec0 | |
parent | ebd67c6e1b40aebdd3a52285ce9ff9412b2a3038 (diff) | |
download | Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.tar.gz Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.tar.zst Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.zip |
security: escape HTML entities when using Markdown
Adapted from https://github.com/shaarli/Shaarli/pull/785
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
-rw-r--r-- | plugins/markdown/markdown.php | 2 | ||||
-rw-r--r-- | tests/plugins/PluginMarkdownTest.php | 18 |
2 files changed, 19 insertions, 1 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index 57fcce32..9d073fbd 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php | |||
@@ -218,7 +218,7 @@ function process_markdown($description) | |||
218 | $processedDescription = reverse_space2nbsp($processedDescription); | 218 | $processedDescription = reverse_space2nbsp($processedDescription); |
219 | $processedDescription = unescape($processedDescription); | 219 | $processedDescription = unescape($processedDescription); |
220 | $processedDescription = $parsedown | 220 | $processedDescription = $parsedown |
221 | ->setMarkupEscaped(false) | 221 | ->setMarkupEscaped(true) |
222 | ->setBreaksEnabled(true) | 222 | ->setBreaksEnabled(true) |
223 | ->text($processedDescription); | 223 | ->text($processedDescription); |
224 | $processedDescription = sanitize_html($processedDescription); | 224 | $processedDescription = sanitize_html($processedDescription); |
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php index fa7e1d52..67bf8968 100644 --- a/tests/plugins/PluginMarkdownTest.php +++ b/tests/plugins/PluginMarkdownTest.php | |||
@@ -149,4 +149,22 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
149 | $data = hook_markdown_render_daily($data); | 149 | $data = hook_markdown_render_daily($data); |
150 | $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']); | 150 | $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']); |
151 | } | 151 | } |
152 | |||
153 | /** | ||
154 | * Make sure that the HTML tags are escaped. | ||
155 | */ | ||
156 | public function testMarkdownWithHtmlEscape() | ||
157 | { | ||
158 | $md = '**strong** <strong>strong</strong>'; | ||
159 | $html = '<div class="markdown"><p><strong>strong</strong> <strong>strong</strong></p></div>'; | ||
160 | $data = array( | ||
161 | 'links' => array( | ||
162 | 0 => array( | ||
163 | 'description' => $md, | ||
164 | ), | ||
165 | ), | ||
166 | ); | ||
167 | $data = hook_markdown_render_linklist($data); | ||
168 | $this->assertEquals($html, $data['links'][0]['description']); | ||
169 | } | ||
152 | } | 170 | } |