aboutsummaryrefslogtreecommitdiffhomepage
path: root/application
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2017-02-27 19:45:55 +0100
committerArthurHoaro <arthur@hoa.ro>2017-02-28 19:16:54 +0100
commite03761011521929a375ebb56f21adacb226a3a8d (patch)
tree6cc318939e74a35d74a037f18bca912b73e5c81e /application
parent5978588578ca103152598ccfbe41019b12e00a4f (diff)
downloadShaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.gz
Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.zst
Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.zip
Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README
Diffstat (limited to 'application')
-rw-r--r--application/Updater.php23
1 files changed, 23 insertions, 0 deletions
diff --git a/application/Updater.php b/application/Updater.php
index 3f5d325b..f5ebf31a 100644
--- a/application/Updater.php
+++ b/application/Updater.php
@@ -336,6 +336,29 @@ class Updater
336 } 336 }
337 $this->conf->set('resource.theme', 'vintage'); 337 $this->conf->set('resource.theme', 'vintage');
338 $this->conf->write($this->isLoggedIn); 338 $this->conf->write($this->isLoggedIn);
339
340 return true;
341 }
342
343 /**
344 * * `markdown_escape` is a new setting, set to true as default.
345 *
346 * If the markdown plugin was already enabled, escaping is disabled to avoid
347 * breaking existing entries.
348 */
349 public function updateMethodEscapeMarkdown()
350 {
351 if ($this->conf->exists('security.markdown_escape')) {
352 return true;
353 }
354
355 if (in_array('markdown', $this->conf->get('general.enabled_plugins'))) {
356 $this->conf->set('security.markdown_escape', false);
357 } else {
358 $this->conf->set('security.markdown_escape', true);
359 }
360 $this->conf->write($this->isLoggedIn);
361
339 return true; 362 return true;
340 } 363 }
341} 364}