Add markdown_escape setting

This setting allows to escape HTML in markdown rendering or not.
The goal behind it is to avoid XSS issue in shared instances.

More info:

  * the setting is set to true by default
  * it is set to false for anyone who already have the plugin enabled
  (avoid breaking existing entries)
  * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof
  * mention the setting in the plugin README

1 files changed, 23 insertions, 0 deletions

diff --git a/application/Updater.php b/application/Updater.php
index 3f5d325b..f5ebf31a 100644
--- a/application/Updater.php
+++ b/application/Updater.php
@@ -336,6 +336,29 @@ class Updater
         }
         $this->conf->set('resource.theme', 'vintage');
         $this->conf->write($this->isLoggedIn);
+
+        return true;
+    }
+
+    /**
+     * * `markdown_escape` is a new setting, set to true as default.
+     *
+     * If the markdown plugin was already enabled, escaping is disabled to avoid
+     * breaking existing entries.
+     */
+    public function updateMethodEscapeMarkdown()
+    {
+        if ($this->conf->exists('security.markdown_escape')) {
+            return true;
+        }
+
+        if (in_array('markdown', $this->conf->get('general.enabled_plugins'))) {
+            $this->conf->set('security.markdown_escape', false);
+        } else {
+            $this->conf->set('security.markdown_escape', true);
+        }
+        $this->conf->write($this->isLoggedIn);
+
         return true;
     }
 }