aboutsummaryrefslogtreecommitdiffhomepage
path: root/plugins/markdown/markdown.php
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2016-02-19 19:37:13 +0100
committerArthurHoaro <arthur@hoa.ro>2016-02-19 19:37:13 +0100
commit2925687e1e86dc113116330efd547b9db5c0f1a6 (patch)
tree706706ddfc9472e51494db912f9bee03972ce93f /plugins/markdown/markdown.php
parentbfec695df1205864b46ca7175e1598b184602687 (diff)
downloadShaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.tar.gz
Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.tar.zst
Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.zip
Markdown: don't escape content + sanitize sensible tags
Instead of trying to fix broken content for Markdown parsing, parse it unescaped, then sanatize sensible tags such as scripts, etc.
Diffstat (limited to 'plugins/markdown/markdown.php')
-rw-r--r--plugins/markdown/markdown.php37
1 files changed, 29 insertions, 8 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php
index 3630ef14..a45b6574 100644
--- a/plugins/markdown/markdown.php
+++ b/plugins/markdown/markdown.php
@@ -117,23 +117,43 @@ function reverse_space2nbsp($description)
117} 117}
118 118
119/** 119/**
120 * Remove '&gt;' at start of line auto generated by Shaarli core system 120 * Remove dangerous HTML tags (tags, iframe, etc.).
121 * to allow markdown blockquotes. 121 * Doesn't affect <code> content (already escaped by Parsedown).
122 * 122 *
123 * @param string $description input description text. 123 * @param string $description input description text.
124 * 124 *
125 * @return string $description without HTML links. 125 * @return string given string escaped.
126 */ 126 */
127function reset_quote_tags($description) 127function sanitize_html($description)
128{ 128{
129 return preg_replace('/^( *)&gt; /m', '$1> ', $description); 129 $escapeTags = array(
130 'script',
131 'style',
132 'link',
133 'iframe',
134 'frameset',
135 'frame',
136 );
137 foreach ($escapeTags as $tag) {
138 $description = preg_replace_callback(
139 '#<\s*'. $tag .'[^>]*>(.*</\s*'. $tag .'[^>]*>)?#is',
140 function ($match) { return escape($match[0]); },
141 $description);
142 }
143 $description = preg_replace(
144 '#(<[^>]+)on[a-z]*="[^"]*"#is',
145 '$1',
146 $description);
147 return $description;
130} 148}
131 149
132/** 150/**
133 * Render shaare contents through Markdown parser. 151 * Render shaare contents through Markdown parser.
134 * 1. Remove HTML generated by Shaarli core. 152 * 1. Remove HTML generated by Shaarli core.
135 * 2. Generate markdown descriptions. 153 * 2. Reverse the escape function.
136 * 3. Wrap description in 'markdown' CSS class. 154 * 3. Generate markdown descriptions.
155 * 4. Sanitize sensible HTML tags for security.
156 * 5. Wrap description in 'markdown' CSS class.
137 * 157 *
138 * @param string $description input description text. 158 * @param string $description input description text.
139 * 159 *
@@ -147,11 +167,12 @@ function process_markdown($description)
147 $processedDescription = reverse_text2clickable($processedDescription); 167 $processedDescription = reverse_text2clickable($processedDescription);
148 $processedDescription = reverse_nl2br($processedDescription); 168 $processedDescription = reverse_nl2br($processedDescription);
149 $processedDescription = reverse_space2nbsp($processedDescription); 169 $processedDescription = reverse_space2nbsp($processedDescription);
150 $processedDescription = reset_quote_tags($processedDescription); 170 $processedDescription = unescape($processedDescription);
151 $processedDescription = $parsedown 171 $processedDescription = $parsedown
152 ->setMarkupEscaped(false) 172 ->setMarkupEscaped(false)
153 ->setBreaksEnabled(true) 173 ->setBreaksEnabled(true)
154 ->text($processedDescription); 174 ->text($processedDescription);
175 $processedDescription = sanitize_html($processedDescription);
155 $processedDescription = '<div class="markdown">'. $processedDescription . '</div>'; 176 $processedDescription = '<div class="markdown">'. $processedDescription . '</div>';
156 177
157 return $processedDescription; 178 return $processedDescription;