aboutsummaryrefslogtreecommitdiffhomepage
path: root/application
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2017-02-27 19:45:55 +0100
committerVirtualTam <virtualtam@flibidi.net>2017-03-04 09:38:12 +0100
commit9ff17ae20effa5d54fd8481c19518123590e3bd0 (patch)
tree5950eea367714b54cb24cdfb57963adf85a907e4 /application
parent63bddaad4b6578d5d9a5728cba9f2f0d552805e5 (diff)
downloadShaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.gz
Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.zst
Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.zip
Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README
Diffstat (limited to 'application')
-rw-r--r--application/Updater.php22
1 files changed, 22 insertions, 0 deletions
diff --git a/application/Updater.php b/application/Updater.php
index f0d02814..555d4c25 100644
--- a/application/Updater.php
+++ b/application/Updater.php
@@ -256,6 +256,28 @@ class Updater
256 256
257 return true; 257 return true;
258 } 258 }
259
260 /**
261 * * `markdown_escape` is a new setting, set to true as default.
262 *
263 * If the markdown plugin was already enabled, escaping is disabled to avoid
264 * breaking existing entries.
265 */
266 public function updateMethodEscapeMarkdown()
267 {
268 if ($this->conf->exists('security.markdown_escape')) {
269 return true;
270 }
271
272 if (in_array('markdown', $this->conf->get('general.enabled_plugins'))) {
273 $this->conf->set('security.markdown_escape', false);
274 } else {
275 $this->conf->set('security.markdown_escape', true);
276 }
277 $this->conf->write($this->isLoggedIn);
278
279 return true;
280 }
259} 281}
260 282
261/** 283/**