aboutsummaryrefslogtreecommitdiffhomepage
path: root/plugins/markdown/markdown.php
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2017-02-27 19:45:55 +0100
committerVirtualTam <virtualtam@flibidi.net>2017-03-04 09:38:12 +0100
commit9ff17ae20effa5d54fd8481c19518123590e3bd0 (patch)
tree5950eea367714b54cb24cdfb57963adf85a907e4 /plugins/markdown/markdown.php
parent63bddaad4b6578d5d9a5728cba9f2f0d552805e5 (diff)
downloadShaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.gz
Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.tar.zst
Shaarli-9ff17ae20effa5d54fd8481c19518123590e3bd0.zip
Add markdown_escape setting
This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README
Diffstat (limited to 'plugins/markdown/markdown.php')
-rw-r--r--plugins/markdown/markdown.php29
1 files changed, 18 insertions, 11 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php
index 0cf6e6e2..de7c823d 100644
--- a/plugins/markdown/markdown.php
+++ b/plugins/markdown/markdown.php
@@ -14,18 +14,19 @@ define('NO_MD_TAG', 'nomarkdown');
14/** 14/**
15 * Parse linklist descriptions. 15 * Parse linklist descriptions.
16 * 16 *
17 * @param array $data linklist data. 17 * @param array $data linklist data.
18 * @param ConfigManager $conf instance.
18 * 19 *
19 * @return mixed linklist data parsed in markdown (and converted to HTML). 20 * @return mixed linklist data parsed in markdown (and converted to HTML).
20 */ 21 */
21function hook_markdown_render_linklist($data) 22function hook_markdown_render_linklist($data, $conf)
22{ 23{
23 foreach ($data['links'] as &$value) { 24 foreach ($data['links'] as &$value) {
24 if (!empty($value['tags']) && noMarkdownTag($value['tags'])) { 25 if (!empty($value['tags']) && noMarkdownTag($value['tags'])) {
25 $value = stripNoMarkdownTag($value); 26 $value = stripNoMarkdownTag($value);
26 continue; 27 continue;
27 } 28 }
28 $value['description'] = process_markdown($value['description']); 29 $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true));
29 } 30 }
30 return $data; 31 return $data;
31} 32}
@@ -34,17 +35,18 @@ function hook_markdown_render_linklist($data)
34 * Parse feed linklist descriptions. 35 * Parse feed linklist descriptions.
35 * 36 *
36 * @param array $data linklist data. 37 * @param array $data linklist data.
38 * @param ConfigManager $conf instance.
37 * 39 *
38 * @return mixed linklist data parsed in markdown (and converted to HTML). 40 * @return mixed linklist data parsed in markdown (and converted to HTML).
39 */ 41 */
40function hook_markdown_render_feed($data) 42function hook_markdown_render_feed($data, $conf)
41{ 43{
42 foreach ($data['links'] as &$value) { 44 foreach ($data['links'] as &$value) {
43 if (!empty($value['tags']) && noMarkdownTag($value['tags'])) { 45 if (!empty($value['tags']) && noMarkdownTag($value['tags'])) {
44 $value = stripNoMarkdownTag($value); 46 $value = stripNoMarkdownTag($value);
45 continue; 47 continue;
46 } 48 }
47 $value['description'] = process_markdown($value['description']); 49 $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true));
48 } 50 }
49 51
50 return $data; 52 return $data;
@@ -53,11 +55,12 @@ function hook_markdown_render_feed($data)
53/** 55/**
54 * Parse daily descriptions. 56 * Parse daily descriptions.
55 * 57 *
56 * @param array $data daily data. 58 * @param array $data daily data.
59 * @param ConfigManager $conf instance.
57 * 60 *
58 * @return mixed daily data parsed in markdown (and converted to HTML). 61 * @return mixed daily data parsed in markdown (and converted to HTML).
59 */ 62 */
60function hook_markdown_render_daily($data) 63function hook_markdown_render_daily($data, $conf)
61{ 64{
62 // Manipulate columns data 65 // Manipulate columns data
63 foreach ($data['cols'] as &$value) { 66 foreach ($data['cols'] as &$value) {
@@ -66,7 +69,10 @@ function hook_markdown_render_daily($data)
66 $value2 = stripNoMarkdownTag($value2); 69 $value2 = stripNoMarkdownTag($value2);
67 continue; 70 continue;
68 } 71 }
69 $value2['formatedDescription'] = process_markdown($value2['formatedDescription']); 72 $value2['formatedDescription'] = process_markdown(
73 $value2['formatedDescription'],
74 $conf->get('security.markdown_escape', true)
75 );
70 } 76 }
71 } 77 }
72 78
@@ -250,7 +256,7 @@ function sanitize_html($description)
250 $description); 256 $description);
251 } 257 }
252 $description = preg_replace( 258 $description = preg_replace(
253 '#(<[^>]+)on[a-z]*="[^"]*"#is', 259 '#(<[^>]+)on[a-z]*="?[^ "]*"?#is',
254 '$1', 260 '$1',
255 $description); 261 $description);
256 return $description; 262 return $description;
@@ -265,10 +271,11 @@ function sanitize_html($description)
265 * 5. Wrap description in 'markdown' CSS class. 271 * 5. Wrap description in 'markdown' CSS class.
266 * 272 *
267 * @param string $description input description text. 273 * @param string $description input description text.
274 * @param bool $escape escape HTML entities
268 * 275 *
269 * @return string HTML processed $description. 276 * @return string HTML processed $description.
270 */ 277 */
271function process_markdown($description) 278function process_markdown($description, $escape = true)
272{ 279{
273 $parsedown = new Parsedown(); 280 $parsedown = new Parsedown();
274 281
@@ -278,7 +285,7 @@ function process_markdown($description)
278 $processedDescription = reverse_text2clickable($processedDescription); 285 $processedDescription = reverse_text2clickable($processedDescription);
279 $processedDescription = unescape($processedDescription); 286 $processedDescription = unescape($processedDescription);
280 $processedDescription = $parsedown 287 $processedDescription = $parsedown
281 ->setMarkupEscaped(false) 288 ->setMarkupEscaped($escape)
282 ->setBreaksEnabled(true) 289 ->setBreaksEnabled(true)
283 ->text($processedDescription); 290 ->text($processedDescription);
284 $processedDescription = sanitize_html($processedDescription); 291 $processedDescription = sanitize_html($processedDescription);