security: escape HTML entities when using Markdown

Adapted from https://github.com/shaarli/Shaarli/pull/785 Signed-off-by: VirtualTam <virtualtam@flibidi.net>
author: VirtualTam <virtualtam@flibidi.net> 2017-03-08 20:38:41 +0100
committer: VirtualTam <virtualtam@flibidi.net> 2017-03-08 20:38:41 +0100
commit: 1328d222680edf2ebdaea5624a7496240bd075f0 (patch)
tree: d515b37130d6ea07ff3ecccf9d6dd5a2ebf83ec0 /plugins/markdown
parent: ebd67c6e1b40aebdd3a52285ce9ff9412b2a3038 (diff)
download: Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.tar.gz
Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.tar.zst
Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php
index 57fcce32..9d073fbd 100644
--- a/plugins/markdown/markdown.php
+++ b/plugins/markdown/markdown.php
@@ -218,7 +218,7 @@ function process_markdown($description)
    $processedDescription = reverse_space2nbsp($processedDescription);
    $processedDescription = unescape($processedDescription);
    $processedDescription = $parsedown
-        ->setMarkupEscaped(false)
+        ->setMarkupEscaped(true)
        ->setBreaksEnabled(true)
        ->text($processedDescription);
    $processedDescription = sanitize_html($processedDescription);
author	VirtualTam <virtualtam@flibidi.net>	2017-03-08 20:38:41 +0100
committer	VirtualTam <virtualtam@flibidi.net>	2017-03-08 20:38:41 +0100
commit	1328d222680edf2ebdaea5624a7496240bd075f0 (patch)
tree	d515b37130d6ea07ff3ecccf9d6dd5a2ebf83ec0 /plugins/markdown
parent	ebd67c6e1b40aebdd3a52285ce9ff9412b2a3038 (diff)
download	Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.tar.gz Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.tar.zst Shaarli-1328d222680edf2ebdaea5624a7496240bd075f0.zip

diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index 57fcce32..9d073fbd 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php
@@ -218,7 +218,7 @@ function process_markdown($description)
218	$processedDescription = reverse_space2nbsp($processedDescription);	218	$processedDescription = reverse_space2nbsp($processedDescription);
219	$processedDescription = unescape($processedDescription);	219	$processedDescription = unescape($processedDescription);
220	$processedDescription = $parsedown	220	$processedDescription = $parsedown
221	->setMarkupEscaped(false)	221	->setMarkupEscaped(true)
222	->setBreaksEnabled(true)	222	->setBreaksEnabled(true)
223	->text($processedDescription);	223	->text($processedDescription);
224	$processedDescription = sanitize_html($processedDescription);	224	$processedDescription = sanitize_html($processedDescription);