aboutsummaryrefslogtreecommitdiffhomepage
path: root/plugins/markdown/markdown.php
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2017-05-31 17:52:19 +0200
committerGitHub <noreply@github.com>2017-05-31 17:52:19 +0200
commitac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e (patch)
treeb235a4ed0e5291d7ad2f008df5bbed4d43200cbe /plugins/markdown/markdown.php
parent268309df5d8110f516940be06e9481d66f3fb5d6 (diff)
parent86ceea054f5f85157b04473bac5bfb6ff86ca31f (diff)
downloadShaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.gz
Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.zst
Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.zip
Merge pull request #880 from ArthurHoaro/hotfix/allowed-protocols
Add a whitelist of protocols for URLs
Diffstat (limited to 'plugins/markdown/markdown.php')
-rw-r--r--plugins/markdown/markdown.php37
1 files changed, 33 insertions, 4 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php
index de7c823d..772c56e8 100644
--- a/plugins/markdown/markdown.php
+++ b/plugins/markdown/markdown.php
@@ -26,7 +26,11 @@ function hook_markdown_render_linklist($data, $conf)
26 $value = stripNoMarkdownTag($value); 26 $value = stripNoMarkdownTag($value);
27 continue; 27 continue;
28 } 28 }
29 $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); 29 $value['description'] = process_markdown(
30 $value['description'],
31 $conf->get('security.markdown_escape', true),
32 $conf->get('security.allowed_protocols')
33 );
30 } 34 }
31 return $data; 35 return $data;
32} 36}
@@ -46,7 +50,11 @@ function hook_markdown_render_feed($data, $conf)
46 $value = stripNoMarkdownTag($value); 50 $value = stripNoMarkdownTag($value);
47 continue; 51 continue;
48 } 52 }
49 $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); 53 $value['description'] = process_markdown(
54 $value['description'],
55 $conf->get('security.markdown_escape', true),
56 $conf->get('security.allowed_protocols')
57 );
50 } 58 }
51 59
52 return $data; 60 return $data;
@@ -71,7 +79,8 @@ function hook_markdown_render_daily($data, $conf)
71 } 79 }
72 $value2['formatedDescription'] = process_markdown( 80 $value2['formatedDescription'] = process_markdown(
73 $value2['formatedDescription'], 81 $value2['formatedDescription'],
74 $conf->get('security.markdown_escape', true) 82 $conf->get('security.markdown_escape', true),
83 $conf->get('security.allowed_protocols')
75 ); 84 );
76 } 85 }
77 } 86 }
@@ -232,6 +241,25 @@ function reverse_space2nbsp($description)
232} 241}
233 242
234/** 243/**
244 * Replace not whitelisted protocols with http:// in given description.
245 *
246 * @param string $description input description text.
247 * @param array $allowedProtocols list of allowed protocols.
248 *
249 * @return string $description without malicious link.
250 */
251function filter_protocols($description, $allowedProtocols)
252{
253 return preg_replace_callback(
254 '#]\((.*?)\)#is',
255 function ($match) use ($allowedProtocols) {
256 return ']('. whitelist_protocols($match[1], $allowedProtocols) .')';
257 },
258 $description
259 );
260}
261
262/**
235 * Remove dangerous HTML tags (tags, iframe, etc.). 263 * Remove dangerous HTML tags (tags, iframe, etc.).
236 * Doesn't affect <code> content (already escaped by Parsedown). 264 * Doesn't affect <code> content (already escaped by Parsedown).
237 * 265 *
@@ -275,7 +303,7 @@ function sanitize_html($description)
275 * 303 *
276 * @return string HTML processed $description. 304 * @return string HTML processed $description.
277 */ 305 */
278function process_markdown($description, $escape = true) 306function process_markdown($description, $escape = true, $allowedProtocols = [])
279{ 307{
280 $parsedown = new Parsedown(); 308 $parsedown = new Parsedown();
281 309
@@ -283,6 +311,7 @@ function process_markdown($description, $escape = true)
283 $processedDescription = reverse_nl2br($processedDescription); 311 $processedDescription = reverse_nl2br($processedDescription);
284 $processedDescription = reverse_space2nbsp($processedDescription); 312 $processedDescription = reverse_space2nbsp($processedDescription);
285 $processedDescription = reverse_text2clickable($processedDescription); 313 $processedDescription = reverse_text2clickable($processedDescription);
314 $processedDescription = filter_protocols($processedDescription, $allowedProtocols);
286 $processedDescription = unescape($processedDescription); 315 $processedDescription = unescape($processedDescription);
287 $processedDescription = $parsedown 316 $processedDescription = $parsedown
288 ->setMarkupEscaped($escape) 317 ->setMarkupEscaped($escape)