diff options
author | ArthurHoaro <arthur@hoa.ro> | 2017-02-27 19:45:55 +0100 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2017-02-28 19:16:54 +0100 |
commit | e03761011521929a375ebb56f21adacb226a3a8d (patch) | |
tree | 6cc318939e74a35d74a037f18bca912b73e5c81e /application | |
parent | 5978588578ca103152598ccfbe41019b12e00a4f (diff) | |
download | Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.gz Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.tar.zst Shaarli-e03761011521929a375ebb56f21adacb226a3a8d.zip |
Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not.
The goal behind it is to avoid XSS issue in shared instances.
More info:
* the setting is set to true by default
* it is set to false for anyone who already have the plugin enabled
(avoid breaking existing entries)
* improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof
* mention the setting in the plugin README
Diffstat (limited to 'application')
-rw-r--r-- | application/Updater.php | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/application/Updater.php b/application/Updater.php index 3f5d325b..f5ebf31a 100644 --- a/application/Updater.php +++ b/application/Updater.php | |||
@@ -336,6 +336,29 @@ class Updater | |||
336 | } | 336 | } |
337 | $this->conf->set('resource.theme', 'vintage'); | 337 | $this->conf->set('resource.theme', 'vintage'); |
338 | $this->conf->write($this->isLoggedIn); | 338 | $this->conf->write($this->isLoggedIn); |
339 | |||
340 | return true; | ||
341 | } | ||
342 | |||
343 | /** | ||
344 | * * `markdown_escape` is a new setting, set to true as default. | ||
345 | * | ||
346 | * If the markdown plugin was already enabled, escaping is disabled to avoid | ||
347 | * breaking existing entries. | ||
348 | */ | ||
349 | public function updateMethodEscapeMarkdown() | ||
350 | { | ||
351 | if ($this->conf->exists('security.markdown_escape')) { | ||
352 | return true; | ||
353 | } | ||
354 | |||
355 | if (in_array('markdown', $this->conf->get('general.enabled_plugins'))) { | ||
356 | $this->conf->set('security.markdown_escape', false); | ||
357 | } else { | ||
358 | $this->conf->set('security.markdown_escape', true); | ||
359 | } | ||
360 | $this->conf->write($this->isLoggedIn); | ||
361 | |||
339 | return true; | 362 | return true; |
340 | } | 363 | } |
341 | } | 364 | } |