diff options
| author | ArthurHoaro <arthur@hoa.ro> | 2017-05-25 14:52:42 +0200 |
|---|---|---|
| committer | ArthurHoaro <arthur@hoa.ro> | 2017-05-25 14:58:34 +0200 |
| commit | 86ceea054f5f85157b04473bac5bfb6ff86ca31f (patch) | |
| tree | e8216f2f36952818427e633b641a54a6ff26379a /plugins | |
| parent | 61c15aa5554431893ea5ebe800a9a625dca5aff9 (diff) | |
| download | Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.gz Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.zst Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.zip | |
Add a whitelist of protocols for URLs
- for Shaare
- for markdown description links and images
Not whitelisted protocols will be replaced by `http://`
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/markdown/markdown.php | 37 |
1 files changed, 33 insertions, 4 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index de7c823d..772c56e8 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php | |||
| @@ -26,7 +26,11 @@ function hook_markdown_render_linklist($data, $conf) | |||
| 26 | $value = stripNoMarkdownTag($value); | 26 | $value = stripNoMarkdownTag($value); |
| 27 | continue; | 27 | continue; |
| 28 | } | 28 | } |
| 29 | $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); | 29 | $value['description'] = process_markdown( |
| 30 | $value['description'], | ||
| 31 | $conf->get('security.markdown_escape', true), | ||
| 32 | $conf->get('security.allowed_protocols') | ||
| 33 | ); | ||
| 30 | } | 34 | } |
| 31 | return $data; | 35 | return $data; |
| 32 | } | 36 | } |
| @@ -46,7 +50,11 @@ function hook_markdown_render_feed($data, $conf) | |||
| 46 | $value = stripNoMarkdownTag($value); | 50 | $value = stripNoMarkdownTag($value); |
| 47 | continue; | 51 | continue; |
| 48 | } | 52 | } |
| 49 | $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); | 53 | $value['description'] = process_markdown( |
| 54 | $value['description'], | ||
| 55 | $conf->get('security.markdown_escape', true), | ||
| 56 | $conf->get('security.allowed_protocols') | ||
| 57 | ); | ||
| 50 | } | 58 | } |
| 51 | 59 | ||
| 52 | return $data; | 60 | return $data; |
| @@ -71,7 +79,8 @@ function hook_markdown_render_daily($data, $conf) | |||
| 71 | } | 79 | } |
| 72 | $value2['formatedDescription'] = process_markdown( | 80 | $value2['formatedDescription'] = process_markdown( |
| 73 | $value2['formatedDescription'], | 81 | $value2['formatedDescription'], |
| 74 | $conf->get('security.markdown_escape', true) | 82 | $conf->get('security.markdown_escape', true), |
| 83 | $conf->get('security.allowed_protocols') | ||
| 75 | ); | 84 | ); |
| 76 | } | 85 | } |
| 77 | } | 86 | } |
| @@ -232,6 +241,25 @@ function reverse_space2nbsp($description) | |||
| 232 | } | 241 | } |
| 233 | 242 | ||
| 234 | /** | 243 | /** |
| 244 | * Replace not whitelisted protocols with http:// in given description. | ||
| 245 | * | ||
| 246 | * @param string $description input description text. | ||
| 247 | * @param array $allowedProtocols list of allowed protocols. | ||
| 248 | * | ||
| 249 | * @return string $description without malicious link. | ||
| 250 | */ | ||
| 251 | function filter_protocols($description, $allowedProtocols) | ||
| 252 | { | ||
| 253 | return preg_replace_callback( | ||
| 254 | '#]\((.*?)\)#is', | ||
| 255 | function ($match) use ($allowedProtocols) { | ||
| 256 | return ']('. whitelist_protocols($match[1], $allowedProtocols) .')'; | ||
| 257 | }, | ||
| 258 | $description | ||
| 259 | ); | ||
| 260 | } | ||
| 261 | |||
| 262 | /** | ||
| 235 | * Remove dangerous HTML tags (tags, iframe, etc.). | 263 | * Remove dangerous HTML tags (tags, iframe, etc.). |
| 236 | * Doesn't affect <code> content (already escaped by Parsedown). | 264 | * Doesn't affect <code> content (already escaped by Parsedown). |
| 237 | * | 265 | * |
| @@ -275,7 +303,7 @@ function sanitize_html($description) | |||
| 275 | * | 303 | * |
| 276 | * @return string HTML processed $description. | 304 | * @return string HTML processed $description. |
| 277 | */ | 305 | */ |
| 278 | function process_markdown($description, $escape = true) | 306 | function process_markdown($description, $escape = true, $allowedProtocols = []) |
| 279 | { | 307 | { |
| 280 | $parsedown = new Parsedown(); | 308 | $parsedown = new Parsedown(); |
| 281 | 309 | ||
| @@ -283,6 +311,7 @@ function process_markdown($description, $escape = true) | |||
| 283 | $processedDescription = reverse_nl2br($processedDescription); | 311 | $processedDescription = reverse_nl2br($processedDescription); |
| 284 | $processedDescription = reverse_space2nbsp($processedDescription); | 312 | $processedDescription = reverse_space2nbsp($processedDescription); |
| 285 | $processedDescription = reverse_text2clickable($processedDescription); | 313 | $processedDescription = reverse_text2clickable($processedDescription); |
| 314 | $processedDescription = filter_protocols($processedDescription, $allowedProtocols); | ||
| 286 | $processedDescription = unescape($processedDescription); | 315 | $processedDescription = unescape($processedDescription); |
| 287 | $processedDescription = $parsedown | 316 | $processedDescription = $parsedown |
| 288 | ->setMarkupEscaped($escape) | 317 | ->setMarkupEscaped($escape) |