aboutsummaryrefslogtreecommitdiffhomepage
path: root/plugins/markdown/markdown.php
diff options
context:
space:
mode:
authorArthur <arthur@hoa.ro>2016-02-25 08:52:42 +0100
committerArthur <arthur@hoa.ro>2016-02-25 08:52:42 +0100
commit10269bc8c9dfe87eb213c09a44308ce64ae0c12d (patch)
tree90bbe4d9f5b5788cc348c3883efe22deb659ded9 /plugins/markdown/markdown.php
parentcee0d9609f7cf860cf951ca2d838cfaacecd37d2 (diff)
parent2925687e1e86dc113116330efd547b9db5c0f1a6 (diff)
downloadShaarli-10269bc8c9dfe87eb213c09a44308ce64ae0c12d.tar.gz
Shaarli-10269bc8c9dfe87eb213c09a44308ce64ae0c12d.tar.zst
Shaarli-10269bc8c9dfe87eb213c09a44308ce64ae0c12d.zip
Merge pull request #491 from ArthurHoaro/markdown-escape2
Markdown: don't escape content + sanitize sensible tags
Diffstat (limited to 'plugins/markdown/markdown.php')
-rw-r--r--plugins/markdown/markdown.php37
1 files changed, 29 insertions, 8 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php
index 3630ef14..a45b6574 100644
--- a/plugins/markdown/markdown.php
+++ b/plugins/markdown/markdown.php
@@ -117,23 +117,43 @@ function reverse_space2nbsp($description)
117} 117}
118 118
119/** 119/**
120 * Remove '&gt;' at start of line auto generated by Shaarli core system 120 * Remove dangerous HTML tags (tags, iframe, etc.).
121 * to allow markdown blockquotes. 121 * Doesn't affect <code> content (already escaped by Parsedown).
122 * 122 *
123 * @param string $description input description text. 123 * @param string $description input description text.
124 * 124 *
125 * @return string $description without HTML links. 125 * @return string given string escaped.
126 */ 126 */
127function reset_quote_tags($description) 127function sanitize_html($description)
128{ 128{
129 return preg_replace('/^( *)&gt; /m', '$1> ', $description); 129 $escapeTags = array(
130 'script',
131 'style',
132 'link',
133 'iframe',
134 'frameset',
135 'frame',
136 );
137 foreach ($escapeTags as $tag) {
138 $description = preg_replace_callback(
139 '#<\s*'. $tag .'[^>]*>(.*</\s*'. $tag .'[^>]*>)?#is',
140 function ($match) { return escape($match[0]); },
141 $description);
142 }
143 $description = preg_replace(
144 '#(<[^>]+)on[a-z]*="[^"]*"#is',
145 '$1',
146 $description);
147 return $description;
130} 148}
131 149
132/** 150/**
133 * Render shaare contents through Markdown parser. 151 * Render shaare contents through Markdown parser.
134 * 1. Remove HTML generated by Shaarli core. 152 * 1. Remove HTML generated by Shaarli core.
135 * 2. Generate markdown descriptions. 153 * 2. Reverse the escape function.
136 * 3. Wrap description in 'markdown' CSS class. 154 * 3. Generate markdown descriptions.
155 * 4. Sanitize sensible HTML tags for security.
156 * 5. Wrap description in 'markdown' CSS class.
137 * 157 *
138 * @param string $description input description text. 158 * @param string $description input description text.
139 * 159 *
@@ -147,11 +167,12 @@ function process_markdown($description)
147 $processedDescription = reverse_text2clickable($processedDescription); 167 $processedDescription = reverse_text2clickable($processedDescription);
148 $processedDescription = reverse_nl2br($processedDescription); 168 $processedDescription = reverse_nl2br($processedDescription);
149 $processedDescription = reverse_space2nbsp($processedDescription); 169 $processedDescription = reverse_space2nbsp($processedDescription);
150 $processedDescription = reset_quote_tags($processedDescription); 170 $processedDescription = unescape($processedDescription);
151 $processedDescription = $parsedown 171 $processedDescription = $parsedown
152 ->setMarkupEscaped(false) 172 ->setMarkupEscaped(false)
153 ->setBreaksEnabled(true) 173 ->setBreaksEnabled(true)
154 ->text($processedDescription); 174 ->text($processedDescription);
175 $processedDescription = sanitize_html($processedDescription);
155 $processedDescription = '<div class="markdown">'. $processedDescription . '</div>'; 176 $processedDescription = '<div class="markdown">'. $processedDescription . '</div>';
156 177
157 return $processedDescription; 178 return $processedDescription;