aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorVirtualTam <virtualtam+github@flibidi.net>2017-03-08 21:45:57 +0100
committerGitHub <noreply@github.com>2017-03-08 21:45:57 +0100
commitff6f9c71d682dbc20c363d71db5016dd0d5247c1 (patch)
treed515b37130d6ea07ff3ecccf9d6dd5a2ebf83ec0
parentebd67c6e1b40aebdd3a52285ce9ff9412b2a3038 (diff)
parent1328d222680edf2ebdaea5624a7496240bd075f0 (diff)
downloadShaarli-ff6f9c71d682dbc20c363d71db5016dd0d5247c1.tar.gz
Shaarli-ff6f9c71d682dbc20c363d71db5016dd0d5247c1.tar.zst
Shaarli-ff6f9c71d682dbc20c363d71db5016dd0d5247c1.zip
Merge pull request #795 from virtualtam/0.7-backport/hotfix/markdown-html
security: escape HTML entities when using Markdown
-rw-r--r--plugins/markdown/markdown.php2
-rw-r--r--tests/plugins/PluginMarkdownTest.php18
2 files changed, 19 insertions, 1 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php
index 57fcce32..9d073fbd 100644
--- a/plugins/markdown/markdown.php
+++ b/plugins/markdown/markdown.php
@@ -218,7 +218,7 @@ function process_markdown($description)
218 $processedDescription = reverse_space2nbsp($processedDescription); 218 $processedDescription = reverse_space2nbsp($processedDescription);
219 $processedDescription = unescape($processedDescription); 219 $processedDescription = unescape($processedDescription);
220 $processedDescription = $parsedown 220 $processedDescription = $parsedown
221 ->setMarkupEscaped(false) 221 ->setMarkupEscaped(true)
222 ->setBreaksEnabled(true) 222 ->setBreaksEnabled(true)
223 ->text($processedDescription); 223 ->text($processedDescription);
224 $processedDescription = sanitize_html($processedDescription); 224 $processedDescription = sanitize_html($processedDescription);
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php
index fa7e1d52..67bf8968 100644
--- a/tests/plugins/PluginMarkdownTest.php
+++ b/tests/plugins/PluginMarkdownTest.php
@@ -149,4 +149,22 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
149 $data = hook_markdown_render_daily($data); 149 $data = hook_markdown_render_daily($data);
150 $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']); 150 $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']);
151 } 151 }
152
153 /**
154 * Make sure that the HTML tags are escaped.
155 */
156 public function testMarkdownWithHtmlEscape()
157 {
158 $md = '**strong** <strong>strong</strong>';
159 $html = '<div class="markdown"><p><strong>strong</strong> &lt;strong&gt;strong&lt;/strong&gt;</p></div>';
160 $data = array(
161 'links' => array(
162 0 => array(
163 'description' => $md,
164 ),
165 ),
166 );
167 $data = hook_markdown_render_linklist($data);
168 $this->assertEquals($html, $data['links'][0]['description']);
169 }
152} 170}