diff options
author | ArthurHoaro <arthur@hoa.ro> | 2016-02-19 19:37:13 +0100 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2016-02-19 19:37:13 +0100 |
commit | 2925687e1e86dc113116330efd547b9db5c0f1a6 (patch) | |
tree | 706706ddfc9472e51494db912f9bee03972ce93f /plugins | |
parent | bfec695df1205864b46ca7175e1598b184602687 (diff) | |
download | Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.tar.gz Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.tar.zst Shaarli-2925687e1e86dc113116330efd547b9db5c0f1a6.zip |
Markdown: don't escape content + sanitize sensible tags
Instead of trying to fix broken content for Markdown parsing, parse it unescaped, then sanatize sensible tags such as scripts, etc.
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/markdown/markdown.php | 37 |
1 files changed, 29 insertions, 8 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index 3630ef14..a45b6574 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php | |||
@@ -117,23 +117,43 @@ function reverse_space2nbsp($description) | |||
117 | } | 117 | } |
118 | 118 | ||
119 | /** | 119 | /** |
120 | * Remove '>' at start of line auto generated by Shaarli core system | 120 | * Remove dangerous HTML tags (tags, iframe, etc.). |
121 | * to allow markdown blockquotes. | 121 | * Doesn't affect <code> content (already escaped by Parsedown). |
122 | * | 122 | * |
123 | * @param string $description input description text. | 123 | * @param string $description input description text. |
124 | * | 124 | * |
125 | * @return string $description without HTML links. | 125 | * @return string given string escaped. |
126 | */ | 126 | */ |
127 | function reset_quote_tags($description) | 127 | function sanitize_html($description) |
128 | { | 128 | { |
129 | return preg_replace('/^( *)> /m', '$1> ', $description); | 129 | $escapeTags = array( |
130 | 'script', | ||
131 | 'style', | ||
132 | 'link', | ||
133 | 'iframe', | ||
134 | 'frameset', | ||
135 | 'frame', | ||
136 | ); | ||
137 | foreach ($escapeTags as $tag) { | ||
138 | $description = preg_replace_callback( | ||
139 | '#<\s*'. $tag .'[^>]*>(.*</\s*'. $tag .'[^>]*>)?#is', | ||
140 | function ($match) { return escape($match[0]); }, | ||
141 | $description); | ||
142 | } | ||
143 | $description = preg_replace( | ||
144 | '#(<[^>]+)on[a-z]*="[^"]*"#is', | ||
145 | '$1', | ||
146 | $description); | ||
147 | return $description; | ||
130 | } | 148 | } |
131 | 149 | ||
132 | /** | 150 | /** |
133 | * Render shaare contents through Markdown parser. | 151 | * Render shaare contents through Markdown parser. |
134 | * 1. Remove HTML generated by Shaarli core. | 152 | * 1. Remove HTML generated by Shaarli core. |
135 | * 2. Generate markdown descriptions. | 153 | * 2. Reverse the escape function. |
136 | * 3. Wrap description in 'markdown' CSS class. | 154 | * 3. Generate markdown descriptions. |
155 | * 4. Sanitize sensible HTML tags for security. | ||
156 | * 5. Wrap description in 'markdown' CSS class. | ||
137 | * | 157 | * |
138 | * @param string $description input description text. | 158 | * @param string $description input description text. |
139 | * | 159 | * |
@@ -147,11 +167,12 @@ function process_markdown($description) | |||
147 | $processedDescription = reverse_text2clickable($processedDescription); | 167 | $processedDescription = reverse_text2clickable($processedDescription); |
148 | $processedDescription = reverse_nl2br($processedDescription); | 168 | $processedDescription = reverse_nl2br($processedDescription); |
149 | $processedDescription = reverse_space2nbsp($processedDescription); | 169 | $processedDescription = reverse_space2nbsp($processedDescription); |
150 | $processedDescription = reset_quote_tags($processedDescription); | 170 | $processedDescription = unescape($processedDescription); |
151 | $processedDescription = $parsedown | 171 | $processedDescription = $parsedown |
152 | ->setMarkupEscaped(false) | 172 | ->setMarkupEscaped(false) |
153 | ->setBreaksEnabled(true) | 173 | ->setBreaksEnabled(true) |
154 | ->text($processedDescription); | 174 | ->text($processedDescription); |
175 | $processedDescription = sanitize_html($processedDescription); | ||
155 | $processedDescription = '<div class="markdown">'. $processedDescription . '</div>'; | 176 | $processedDescription = '<div class="markdown">'. $processedDescription . '</div>'; |
156 | 177 | ||
157 | return $processedDescription; | 178 | return $processedDescription; |