diff options
author | ArthurHoaro <arthur@hoa.ro> | 2017-05-25 14:52:42 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2017-05-25 14:58:34 +0200 |
commit | 86ceea054f5f85157b04473bac5bfb6ff86ca31f (patch) | |
tree | e8216f2f36952818427e633b641a54a6ff26379a /plugins/markdown | |
parent | 61c15aa5554431893ea5ebe800a9a625dca5aff9 (diff) | |
download | Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.gz Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.zst Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.zip |
Add a whitelist of protocols for URLs
- for Shaare
- for markdown description links and images
Not whitelisted protocols will be replaced by `http://`
Diffstat (limited to 'plugins/markdown')
-rw-r--r-- | plugins/markdown/markdown.php | 37 |
1 files changed, 33 insertions, 4 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index de7c823d..772c56e8 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php | |||
@@ -26,7 +26,11 @@ function hook_markdown_render_linklist($data, $conf) | |||
26 | $value = stripNoMarkdownTag($value); | 26 | $value = stripNoMarkdownTag($value); |
27 | continue; | 27 | continue; |
28 | } | 28 | } |
29 | $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); | 29 | $value['description'] = process_markdown( |
30 | $value['description'], | ||
31 | $conf->get('security.markdown_escape', true), | ||
32 | $conf->get('security.allowed_protocols') | ||
33 | ); | ||
30 | } | 34 | } |
31 | return $data; | 35 | return $data; |
32 | } | 36 | } |
@@ -46,7 +50,11 @@ function hook_markdown_render_feed($data, $conf) | |||
46 | $value = stripNoMarkdownTag($value); | 50 | $value = stripNoMarkdownTag($value); |
47 | continue; | 51 | continue; |
48 | } | 52 | } |
49 | $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); | 53 | $value['description'] = process_markdown( |
54 | $value['description'], | ||
55 | $conf->get('security.markdown_escape', true), | ||
56 | $conf->get('security.allowed_protocols') | ||
57 | ); | ||
50 | } | 58 | } |
51 | 59 | ||
52 | return $data; | 60 | return $data; |
@@ -71,7 +79,8 @@ function hook_markdown_render_daily($data, $conf) | |||
71 | } | 79 | } |
72 | $value2['formatedDescription'] = process_markdown( | 80 | $value2['formatedDescription'] = process_markdown( |
73 | $value2['formatedDescription'], | 81 | $value2['formatedDescription'], |
74 | $conf->get('security.markdown_escape', true) | 82 | $conf->get('security.markdown_escape', true), |
83 | $conf->get('security.allowed_protocols') | ||
75 | ); | 84 | ); |
76 | } | 85 | } |
77 | } | 86 | } |
@@ -232,6 +241,25 @@ function reverse_space2nbsp($description) | |||
232 | } | 241 | } |
233 | 242 | ||
234 | /** | 243 | /** |
244 | * Replace not whitelisted protocols with http:// in given description. | ||
245 | * | ||
246 | * @param string $description input description text. | ||
247 | * @param array $allowedProtocols list of allowed protocols. | ||
248 | * | ||
249 | * @return string $description without malicious link. | ||
250 | */ | ||
251 | function filter_protocols($description, $allowedProtocols) | ||
252 | { | ||
253 | return preg_replace_callback( | ||
254 | '#]\((.*?)\)#is', | ||
255 | function ($match) use ($allowedProtocols) { | ||
256 | return ']('. whitelist_protocols($match[1], $allowedProtocols) .')'; | ||
257 | }, | ||
258 | $description | ||
259 | ); | ||
260 | } | ||
261 | |||
262 | /** | ||
235 | * Remove dangerous HTML tags (tags, iframe, etc.). | 263 | * Remove dangerous HTML tags (tags, iframe, etc.). |
236 | * Doesn't affect <code> content (already escaped by Parsedown). | 264 | * Doesn't affect <code> content (already escaped by Parsedown). |
237 | * | 265 | * |
@@ -275,7 +303,7 @@ function sanitize_html($description) | |||
275 | * | 303 | * |
276 | * @return string HTML processed $description. | 304 | * @return string HTML processed $description. |
277 | */ | 305 | */ |
278 | function process_markdown($description, $escape = true) | 306 | function process_markdown($description, $escape = true, $allowedProtocols = []) |
279 | { | 307 | { |
280 | $parsedown = new Parsedown(); | 308 | $parsedown = new Parsedown(); |
281 | 309 | ||
@@ -283,6 +311,7 @@ function process_markdown($description, $escape = true) | |||
283 | $processedDescription = reverse_nl2br($processedDescription); | 311 | $processedDescription = reverse_nl2br($processedDescription); |
284 | $processedDescription = reverse_space2nbsp($processedDescription); | 312 | $processedDescription = reverse_space2nbsp($processedDescription); |
285 | $processedDescription = reverse_text2clickable($processedDescription); | 313 | $processedDescription = reverse_text2clickable($processedDescription); |
314 | $processedDescription = filter_protocols($processedDescription, $allowedProtocols); | ||
286 | $processedDescription = unescape($processedDescription); | 315 | $processedDescription = unescape($processedDescription); |
287 | $processedDescription = $parsedown | 316 | $processedDescription = $parsedown |
288 | ->setMarkupEscaped($escape) | 317 | ->setMarkupEscaped($escape) |