Store bookmarks as PHP objects and add a service layer to retri… (#1307)

Store bookmarks as PHP objects and add a service layer to retrieve them
author: ArthurHoaro <arthur@hoa.ro> 2020-01-18 10:01:06 +0100
committer: GitHub <noreply@github.com> 2020-01-18 10:01:06 +0100
commit: 3fb29fdda04ca86e04422d49b86cf646d53c4f9d (patch)
tree: adf8512f93f5559ba87d0c9931969ae4ebea7133 /application/formatter/BookmarkMarkdownFormatter.php
parent: 796c4c57d085ae4589b53dfe8369ae9ba30ffdaf (diff)
parent: e26e2060f5470ce8bf4c5973284bae07b8af170a (diff)
download: Shaarli-3fb29fdda04ca86e04422d49b86cf646d53c4f9d.tar.gz
Shaarli-3fb29fdda04ca86e04422d49b86cf646d53c4f9d.tar.zst
Shaarli-3fb29fdda04ca86e04422d49b86cf646d53c4f9d.zip
1 files changed, 204 insertions, 0 deletions
diff --git a/application/formatter/BookmarkMarkdownFormatter.php b/application/formatter/BookmarkMarkdownFormatter.php
new file mode 100644
index 00000000..7797bfbf
--- /dev/null
+++ b/application/formatter/BookmarkMarkdownFormatter.php
@@ -0,0 +1,204 @@
+<?php
+namespace Shaarli\Formatter;
+use Shaarli\Config\ConfigManager;
+/**
+ * Class BookmarkMarkdownFormatter
+ *
+ * Format bookmark description into Markdown format.
+ *
+ * @package Shaarli\Formatter
+ */
+class BookmarkMarkdownFormatter extends BookmarkDefaultFormatter
+{
+    /**
+     * When this tag is present in a bookmark, its description should not be processed with Markdown
+     */
+    const NO_MD_TAG = 'nomarkdown';
+    /** @var \Parsedown instance */
+    protected $parsedown;
+    /** @var bool used to escape HTML in Markdown or not.
+     *            It MUST be set to true for shared instance as HTML content can
+     *            introduce XSS vulnerabilities.
+     */
+    protected $escape;
+    /**
+     * @var array List of allowed protocols for links inside bookmark's description.
+     */
+    protected $allowedProtocols;
+    /**
+     * LinkMarkdownFormatter constructor.
+     *
+     * @param ConfigManager $conf instance
+     */
+    public function __construct(ConfigManager $conf)
+    {
+        parent::__construct($conf);
+        $this->parsedown = new \Parsedown();
+        $this->escape = $conf->get('security.markdown_escape', true);
+        $this->allowedProtocols = $conf->get('security.allowed_protocols', []);
+    }
+    /**
+     * @inheritdoc
+     */
+    public function formatDescription($bookmark)
+    {
+        if (in_array(self::NO_MD_TAG, $bookmark->getTags())) {
+            return parent::formatDescription($bookmark);
+        }
+        $processedDescription = $bookmark->getDescription();
+        $processedDescription = $this->filterProtocols($processedDescription);
+        $processedDescription = $this->formatHashTags($processedDescription);
+        $processedDescription = $this->reverseEscapedHtml($processedDescription);
+        $processedDescription = $this->parsedown
+            ->setMarkupEscaped($this->escape)
+            ->setBreaksEnabled(true)
+            ->text($processedDescription);
+        $processedDescription = $this->sanitizeHtml($processedDescription);
+        if (!empty($processedDescription)) {
+            $processedDescription = '<div class="markdown">'. $processedDescription . '</div>';
+        }
+        return $processedDescription;
+    }
+    /**
+     * Remove the NO markdown tag if it is present
+     *
+     * @inheritdoc
+     */
+    protected function formatTagList($bookmark)
+    {
+        $out = parent::formatTagList($bookmark);
+        if (($pos = array_search(self::NO_MD_TAG, $out)) !== false) {
+            unset($out[$pos]);
+            return array_values($out);
+        }
+        return $out;
+    }
+    /**
+     * Replace not whitelisted protocols with http:// in given description.
+     * Also adds `index_url` to relative links if it's specified
+     *
+     * @param string $description      input description text.
+     *
+     * @return string $description without malicious link.
+     */
+    protected function filterProtocols($description)
+    {
+        $allowedProtocols = $this->allowedProtocols;
+        $indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : '';
+        return preg_replace_callback(
+            '#]\((.*?)\)#is',
+            function ($match) use ($allowedProtocols, $indexUrl) {
+                $link = startsWith($match[1], '?') || startsWith($match[1], '/') ? $indexUrl : '';
+                $link .= whitelist_protocols($match[1], $allowedProtocols);
+                return ']('. $link.')';
+            },
+            $description
+        );
+    }
+    /**
+     * Replace hashtag in Markdown links format
+     * E.g. `#hashtag` becomes `[#hashtag](?addtag=hashtag)`
+     * It includes the index URL if specified.
+     *
+     * @param string $description
+     *
+     * @return string
+     */
+    protected function formatHashTags($description)
+    {
+        $indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : '';
+        /*
+         * To support unicode: http://stackoverflow.com/a/35498078/1484919
+         * \p{Pc} - to match underscore
+         * \p{N} - numeric character in any script
+         * \p{L} - letter from any language
+         * \p{Mn} - any non marking space (accents, umlauts, etc)
+         */
+        $regex = '/(^|\s)#([\p{Pc}\p{N}\p{L}\p{Mn}]+)/mui';
+        $replacement = '$1[#$2]('. $indexUrl .'?addtag=$2)';
+        $descriptionLines = explode(PHP_EOL, $description);
+        $descriptionOut = '';
+        $codeBlockOn = false;
+        $lineCount = 0;
+        foreach ($descriptionLines as $descriptionLine) {
+            // Detect line of code: starting with 4 spaces,
+            // except lists which can start with +/*/- or `2.` after spaces.
+            $codeLineOn = preg_match('/^    +(?=[^\+\*\-])(?=(?!\d\.).)/', $descriptionLine) > 0;
+            // Detect and toggle block of code
+            if (!$codeBlockOn) {
+                $codeBlockOn = preg_match('/^```/', $descriptionLine) > 0;
+            } elseif (preg_match('/^```/', $descriptionLine) > 0) {
+                $codeBlockOn = false;
+            }
+            if (!$codeBlockOn && !$codeLineOn) {
+                $descriptionLine = preg_replace($regex, $replacement, $descriptionLine);
+            }
+            $descriptionOut .= $descriptionLine;
+            if ($lineCount++ < count($descriptionLines) - 1) {
+                $descriptionOut .= PHP_EOL;
+            }
+        }
+        return $descriptionOut;
+    }
+    /**
+     * Remove dangerous HTML tags (tags, iframe, etc.).
+     * Doesn't affect <code> content (already escaped by Parsedown).
+     *
+     * @param string $description input description text.
+     *
+     * @return string given string escaped.
+     */
+    protected function sanitizeHtml($description)
+    {
+        $escapeTags = array(
+            'script',
+            'style',
+            'link',
+            'iframe',
+            'frameset',
+            'frame',
+        );
+        foreach ($escapeTags as $tag) {
+            $description = preg_replace_callback(
+                '#<\s*'. $tag .'[^>]*>(.*</\s*'. $tag .'[^>]*>)?#is',
+                function ($match) {
+                    return escape($match[0]);
+                },
+                $description
+            );
+        }
+        $description = preg_replace(
+            '#(<[^>]+\s)on[a-z]*="?[^ "]*"?#is',
+            '$1',
+            $description
+        );
+        return $description;
+    }
+    protected function reverseEscapedHtml($description)
+    {
+        return unescape($description);
+    }
+}
author	ArthurHoaro <arthur@hoa.ro>	2020-01-18 10:01:06 +0100
committer	GitHub <noreply@github.com>	2020-01-18 10:01:06 +0100
commit	3fb29fdda04ca86e04422d49b86cf646d53c4f9d (patch)
tree	adf8512f93f5559ba87d0c9931969ae4ebea7133 /application/formatter/BookmarkMarkdownFormatter.php
parent	796c4c57d085ae4589b53dfe8369ae9ba30ffdaf (diff)
parent	e26e2060f5470ce8bf4c5973284bae07b8af170a (diff)
download	Shaarli-3fb29fdda04ca86e04422d49b86cf646d53c4f9d.tar.gz Shaarli-3fb29fdda04ca86e04422d49b86cf646d53c4f9d.tar.zst Shaarli-3fb29fdda04ca86e04422d49b86cf646d53c4f9d.zip

diff --git a/application/formatter/BookmarkMarkdownFormatter.php b/application/formatter/BookmarkMarkdownFormatter.php new file mode 100644 index 00000000..7797bfbf --- /dev/null +++ b/application/formatter/BookmarkMarkdownFormatter.php
@@ -0,0 +1,204 @@
	1	<?php
	2
	3	namespace Shaarli\Formatter;
	4
	5	use Shaarli\Config\ConfigManager;
	6
	7	/**
	8	* Class BookmarkMarkdownFormatter
	9	*
	10	* Format bookmark description into Markdown format.
	11	*
	12	* @package Shaarli\Formatter
	13	*/
	14	class BookmarkMarkdownFormatter extends BookmarkDefaultFormatter
	15	{
	16	/**
	17	* When this tag is present in a bookmark, its description should not be processed with Markdown
	18	*/
	19	const NO_MD_TAG = 'nomarkdown';
	20
	21	/** @var \Parsedown instance */
	22	protected $parsedown;
	23
	24	/** @var bool used to escape HTML in Markdown or not.
	25	* It MUST be set to true for shared instance as HTML content can
	26	* introduce XSS vulnerabilities.
	27	*/
	28	protected $escape;
	29
	30	/**
	31	* @var array List of allowed protocols for links inside bookmark's description.
	32	*/
	33	protected $allowedProtocols;
	34
	35	/**
	36	* LinkMarkdownFormatter constructor.
	37	*
	38	* @param ConfigManager $conf instance
	39	*/
	40	public function __construct(ConfigManager $conf)
	41	{
	42	parent::__construct($conf);
	43	$this->parsedown = new \Parsedown();
	44	$this->escape = $conf->get('security.markdown_escape', true);
	45	$this->allowedProtocols = $conf->get('security.allowed_protocols', []);
	46	}
	47
	48	/**
	49	* @inheritdoc
	50	*/
	51	public function formatDescription($bookmark)
	52	{
	53	if (in_array(self::NO_MD_TAG, $bookmark->getTags())) {
	54	return parent::formatDescription($bookmark);
	55	}
	56
	57	$processedDescription = $bookmark->getDescription();
	58	$processedDescription = $this->filterProtocols($processedDescription);
	59	$processedDescription = $this->formatHashTags($processedDescription);
	60	$processedDescription = $this->reverseEscapedHtml($processedDescription);
	61	$processedDescription = $this->parsedown
	62	->setMarkupEscaped($this->escape)
	63	->setBreaksEnabled(true)
	64	->text($processedDescription);
	65	$processedDescription = $this->sanitizeHtml($processedDescription);
	66
	67	if (!empty($processedDescription)) {
	68	$processedDescription = '<div class="markdown">'. $processedDescription . '</div>';
	69	}
	70
	71	return $processedDescription;
	72	}
	73
	74	/**
	75	* Remove the NO markdown tag if it is present
	76	*
	77	* @inheritdoc
	78	*/
	79	protected function formatTagList($bookmark)
	80	{
	81	$out = parent::formatTagList($bookmark);
	82	if (($pos = array_search(self::NO_MD_TAG, $out)) !== false) {
	83	unset($out[$pos]);
	84	return array_values($out);
	85	}
	86	return $out;
	87	}
	88
	89	/**
	90	* Replace not whitelisted protocols with http:// in given description.
	91	* Also adds `index_url` to relative links if it's specified
	92	*
	93	* @param string $description input description text.
	94	*
	95	* @return string $description without malicious link.
	96	*/
	97	protected function filterProtocols($description)
	98	{
	99	$allowedProtocols = $this->allowedProtocols;
	100	$indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : '';
	101
	102	return preg_replace_callback(
	103	'#]\((.*?)\)#is',
	104	function ($match) use ($allowedProtocols, $indexUrl) {
	105	$link = startsWith($match[1], '?') \|\| startsWith($match[1], '/') ? $indexUrl : '';
	106	$link .= whitelist_protocols($match[1], $allowedProtocols);
	107	return ']('. $link.')';
	108	},
	109	$description
	110	);
	111	}
	112
	113	/**
	114	* Replace hashtag in Markdown links format
	115	* E.g. `#hashtag` becomes `[#hashtag](?addtag=hashtag)`
	116	* It includes the index URL if specified.
	117	*
	118	* @param string $description
	119	*
	120	* @return string
	121	*/
	122	protected function formatHashTags($description)
	123	{
	124	$indexUrl = ! empty($this->contextData['index_url']) ? $this->contextData['index_url'] : '';
	125
	126	/*
	127	* To support unicode: http://stackoverflow.com/a/35498078/1484919
	128	* \p{Pc} - to match underscore
	129	* \p{N} - numeric character in any script
	130	* \p{L} - letter from any language
	131	* \p{Mn} - any non marking space (accents, umlauts, etc)
	132	*/
	133	$regex = '/(^\|\s)#([\p{Pc}\p{N}\p{L}\p{Mn}]+)/mui';
	134	$replacement = '$1[#$2]('. $indexUrl .'?addtag=$2)';
	135
	136	$descriptionLines = explode(PHP_EOL, $description);
	137	$descriptionOut = '';
	138	$codeBlockOn = false;
	139	$lineCount = 0;
	140
	141	foreach ($descriptionLines as $descriptionLine) {
	142	// Detect line of code: starting with 4 spaces,
	143	// except lists which can start with +/*/- or `2.` after spaces.
	144	$codeLineOn = preg_match('/^ +(?=[^\+\*\-])(?=(?!\d\.).)/', $descriptionLine) > 0;
	145	// Detect and toggle block of code
	146	if (!$codeBlockOn) {
	147	$codeBlockOn = preg_match('/^```/', $descriptionLine) > 0;
	148	} elseif (preg_match('/^```/', $descriptionLine) > 0) {
	149	$codeBlockOn = false;
	150	}
	151
	152	if (!$codeBlockOn && !$codeLineOn) {
	153	$descriptionLine = preg_replace($regex, $replacement, $descriptionLine);
	154	}
	155
	156	$descriptionOut .= $descriptionLine;
	157	if ($lineCount++ < count($descriptionLines) - 1) {
	158	$descriptionOut .= PHP_EOL;
	159	}
	160	}
	161
	162	return $descriptionOut;
	163	}
	164
	165	/**
	166	* Remove dangerous HTML tags (tags, iframe, etc.).
	167	* Doesn't affect <code> content (already escaped by Parsedown).
	168	*
	169	* @param string $description input description text.
	170	*
	171	* @return string given string escaped.
	172	*/
	173	protected function sanitizeHtml($description)
	174	{
	175	$escapeTags = array(
	176	'script',
	177	'style',
	178	'link',
	179	'iframe',
	180	'frameset',
	181	'frame',
	182	);
	183	foreach ($escapeTags as $tag) {
	184	$description = preg_replace_callback(
	185	'#<\s'. $tag .'[^>]>(.</\s'. $tag .'[^>]*>)?#is',
	186	function ($match) {
	187	return escape($match[0]);
	188	},
	189	$description
	190	);
	191	}
	192	$description = preg_replace(
	193	'#(<[^>]+\s)on[a-z]="?[^ "]"?#is',
	194	'$1',
	195	$description
	196	);
	197	return $description;
	198	}
	199
	200	protected function reverseEscapedHtml($description)
	201	{
	202	return unescape($description);
	203	}
	204	}