diff options
author | ArthurHoaro <arthur@hoa.ro> | 2017-02-27 19:45:55 +0100 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2017-03-04 09:38:12 +0100 |
commit | 9ff17ae20effa5d54fd8481c19518123590e3bd0 (patch) | |
tree | 5950eea367714b54cb24cdfb57963adf85a907e4 /application/Updater.php | |
parent | 63bddaad4b6578d5d9a5728cba9f2f0d552805e5 (diff) | |
download | Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.gz Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.zst Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.zip |
Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not.
The goal behind it is to avoid XSS issue in shared instances.
More info:
* the setting is set to true by default
* it is set to false for anyone who already have the plugin enabled
(avoid breaking existing entries)
* improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof
* mention the setting in the plugin README
Diffstat (limited to 'application/Updater.php')
-rw-r--r-- | application/Updater.php | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/application/Updater.php b/application/Updater.php index f0d02814..555d4c25 100644 --- a/application/Updater.php +++ b/application/Updater.php | |||
@@ -256,6 +256,28 @@ class Updater | |||
256 | 256 | ||
257 | return true; | 257 | return true; |
258 | } | 258 | } |
259 | |||
260 | /** | ||
261 | * * `markdown_escape` is a new setting, set to true as default. | ||
262 | * | ||
263 | * If the markdown plugin was already enabled, escaping is disabled to avoid | ||
264 | * breaking existing entries. | ||
265 | */ | ||
266 | public function updateMethodEscapeMarkdown() | ||
267 | { | ||
268 | if ($this->conf->exists('security.markdown_escape')) { | ||
269 | return true; | ||
270 | } | ||
271 | |||
272 | if (in_array('markdown', $this->conf->get('general.enabled_plugins'))) { | ||
273 | $this->conf->set('security.markdown_escape', false); | ||
274 | } else { | ||
275 | $this->conf->set('security.markdown_escape', true); | ||
276 | } | ||
277 | $this->conf->write($this->isLoggedIn); | ||
278 | |||
279 | return true; | ||
280 | } | ||
259 | } | 281 | } |
260 | 282 | ||
261 | /** | 283 | /** |