diff options
-rw-r--r-- | application/Updater.php | 22 | ||||
-rw-r--r-- | plugins/markdown/README.md | 27 | ||||
-rw-r--r-- | plugins/markdown/markdown.php | 29 | ||||
-rw-r--r-- | tests/Updater/UpdaterTest.php | 65 | ||||
-rw-r--r-- | tests/plugins/PluginMarkdownTest.php | 57 | ||||
-rw-r--r-- | tests/plugins/resources/markdown.html | 6 |
6 files changed, 179 insertions, 27 deletions
diff --git a/application/Updater.php b/application/Updater.php index f0d02814..555d4c25 100644 --- a/application/Updater.php +++ b/application/Updater.php | |||
@@ -256,6 +256,28 @@ class Updater | |||
256 | 256 | ||
257 | return true; | 257 | return true; |
258 | } | 258 | } |
259 | |||
260 | /** | ||
261 | * * `markdown_escape` is a new setting, set to true as default. | ||
262 | * | ||
263 | * If the markdown plugin was already enabled, escaping is disabled to avoid | ||
264 | * breaking existing entries. | ||
265 | */ | ||
266 | public function updateMethodEscapeMarkdown() | ||
267 | { | ||
268 | if ($this->conf->exists('security.markdown_escape')) { | ||
269 | return true; | ||
270 | } | ||
271 | |||
272 | if (in_array('markdown', $this->conf->get('general.enabled_plugins'))) { | ||
273 | $this->conf->set('security.markdown_escape', false); | ||
274 | } else { | ||
275 | $this->conf->set('security.markdown_escape', true); | ||
276 | } | ||
277 | $this->conf->write($this->isLoggedIn); | ||
278 | |||
279 | return true; | ||
280 | } | ||
259 | } | 281 | } |
260 | 282 | ||
261 | /** | 283 | /** |
diff --git a/plugins/markdown/README.md b/plugins/markdown/README.md index aafcf066..bc9427e2 100644 --- a/plugins/markdown/README.md +++ b/plugins/markdown/README.md | |||
@@ -50,9 +50,20 @@ If the tag `nomarkdown` is set for a shaare, it won't be converted to Markdown s | |||
50 | 50 | ||
51 | > Note: this is a special tag, so it won't be displayed in link list. | 51 | > Note: this is a special tag, so it won't be displayed in link list. |
52 | 52 | ||
53 | ### HTML rendering | 53 | ### HTML escape |
54 | 54 | ||
55 | Markdown support HTML tags. For example: | 55 | By default, HTML tags are escaped. You can enable HTML tags rendering |
56 | by setting `security.markdwon_escape` to `false` in `data/config.json.php`: | ||
57 | |||
58 | ```json | ||
59 | { | ||
60 | "security": { | ||
61 | "markdown_escape": false | ||
62 | } | ||
63 | } | ||
64 | ``` | ||
65 | |||
66 | With this setting, Markdown support HTML tags. For example: | ||
56 | 67 | ||
57 | > <strong>strong</strong><strike>strike</strike> | 68 | > <strong>strong</strong><strike>strike</strike> |
58 | 69 | ||
@@ -60,12 +71,14 @@ Will render as: | |||
60 | 71 | ||
61 | > <strong>strong</strong><strike>strike</strike> | 72 | > <strong>strong</strong><strike>strike</strike> |
62 | 73 | ||
63 | If you want to shaare HTML code, it is necessary to use inline code or code blocks. | ||
64 | |||
65 | **If your shaared descriptions containing HTML tags before enabling the markdown plugin, | ||
66 | enabling it might break your page.** | ||
67 | 74 | ||
68 | > Note: HTML tags such as script, iframe, etc. are disabled for security reasons. | 75 | **Warning:** |
76 | |||
77 | * This setting might present **security risks** (XSS) on shared instances, even though tags | ||
78 | such as script, iframe, etc should be disabled. | ||
79 | * If you want to shaare HTML code, it is necessary to use inline code or code blocks. | ||
80 | * If your shaared descriptions contained HTML tags before enabling the markdown plugin, | ||
81 | enabling it might break your page. | ||
69 | 82 | ||
70 | ### Known issue | 83 | ### Known issue |
71 | 84 | ||
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index 0cf6e6e2..de7c823d 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php | |||
@@ -14,18 +14,19 @@ define('NO_MD_TAG', 'nomarkdown'); | |||
14 | /** | 14 | /** |
15 | * Parse linklist descriptions. | 15 | * Parse linklist descriptions. |
16 | * | 16 | * |
17 | * @param array $data linklist data. | 17 | * @param array $data linklist data. |
18 | * @param ConfigManager $conf instance. | ||
18 | * | 19 | * |
19 | * @return mixed linklist data parsed in markdown (and converted to HTML). | 20 | * @return mixed linklist data parsed in markdown (and converted to HTML). |
20 | */ | 21 | */ |
21 | function hook_markdown_render_linklist($data) | 22 | function hook_markdown_render_linklist($data, $conf) |
22 | { | 23 | { |
23 | foreach ($data['links'] as &$value) { | 24 | foreach ($data['links'] as &$value) { |
24 | if (!empty($value['tags']) && noMarkdownTag($value['tags'])) { | 25 | if (!empty($value['tags']) && noMarkdownTag($value['tags'])) { |
25 | $value = stripNoMarkdownTag($value); | 26 | $value = stripNoMarkdownTag($value); |
26 | continue; | 27 | continue; |
27 | } | 28 | } |
28 | $value['description'] = process_markdown($value['description']); | 29 | $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); |
29 | } | 30 | } |
30 | return $data; | 31 | return $data; |
31 | } | 32 | } |
@@ -34,17 +35,18 @@ function hook_markdown_render_linklist($data) | |||
34 | * Parse feed linklist descriptions. | 35 | * Parse feed linklist descriptions. |
35 | * | 36 | * |
36 | * @param array $data linklist data. | 37 | * @param array $data linklist data. |
38 | * @param ConfigManager $conf instance. | ||
37 | * | 39 | * |
38 | * @return mixed linklist data parsed in markdown (and converted to HTML). | 40 | * @return mixed linklist data parsed in markdown (and converted to HTML). |
39 | */ | 41 | */ |
40 | function hook_markdown_render_feed($data) | 42 | function hook_markdown_render_feed($data, $conf) |
41 | { | 43 | { |
42 | foreach ($data['links'] as &$value) { | 44 | foreach ($data['links'] as &$value) { |
43 | if (!empty($value['tags']) && noMarkdownTag($value['tags'])) { | 45 | if (!empty($value['tags']) && noMarkdownTag($value['tags'])) { |
44 | $value = stripNoMarkdownTag($value); | 46 | $value = stripNoMarkdownTag($value); |
45 | continue; | 47 | continue; |
46 | } | 48 | } |
47 | $value['description'] = process_markdown($value['description']); | 49 | $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); |
48 | } | 50 | } |
49 | 51 | ||
50 | return $data; | 52 | return $data; |
@@ -53,11 +55,12 @@ function hook_markdown_render_feed($data) | |||
53 | /** | 55 | /** |
54 | * Parse daily descriptions. | 56 | * Parse daily descriptions. |
55 | * | 57 | * |
56 | * @param array $data daily data. | 58 | * @param array $data daily data. |
59 | * @param ConfigManager $conf instance. | ||
57 | * | 60 | * |
58 | * @return mixed daily data parsed in markdown (and converted to HTML). | 61 | * @return mixed daily data parsed in markdown (and converted to HTML). |
59 | */ | 62 | */ |
60 | function hook_markdown_render_daily($data) | 63 | function hook_markdown_render_daily($data, $conf) |
61 | { | 64 | { |
62 | // Manipulate columns data | 65 | // Manipulate columns data |
63 | foreach ($data['cols'] as &$value) { | 66 | foreach ($data['cols'] as &$value) { |
@@ -66,7 +69,10 @@ function hook_markdown_render_daily($data) | |||
66 | $value2 = stripNoMarkdownTag($value2); | 69 | $value2 = stripNoMarkdownTag($value2); |
67 | continue; | 70 | continue; |
68 | } | 71 | } |
69 | $value2['formatedDescription'] = process_markdown($value2['formatedDescription']); | 72 | $value2['formatedDescription'] = process_markdown( |
73 | $value2['formatedDescription'], | ||
74 | $conf->get('security.markdown_escape', true) | ||
75 | ); | ||
70 | } | 76 | } |
71 | } | 77 | } |
72 | 78 | ||
@@ -250,7 +256,7 @@ function sanitize_html($description) | |||
250 | $description); | 256 | $description); |
251 | } | 257 | } |
252 | $description = preg_replace( | 258 | $description = preg_replace( |
253 | '#(<[^>]+)on[a-z]*="[^"]*"#is', | 259 | '#(<[^>]+)on[a-z]*="?[^ "]*"?#is', |
254 | '$1', | 260 | '$1', |
255 | $description); | 261 | $description); |
256 | return $description; | 262 | return $description; |
@@ -265,10 +271,11 @@ function sanitize_html($description) | |||
265 | * 5. Wrap description in 'markdown' CSS class. | 271 | * 5. Wrap description in 'markdown' CSS class. |
266 | * | 272 | * |
267 | * @param string $description input description text. | 273 | * @param string $description input description text. |
274 | * @param bool $escape escape HTML entities | ||
268 | * | 275 | * |
269 | * @return string HTML processed $description. | 276 | * @return string HTML processed $description. |
270 | */ | 277 | */ |
271 | function process_markdown($description) | 278 | function process_markdown($description, $escape = true) |
272 | { | 279 | { |
273 | $parsedown = new Parsedown(); | 280 | $parsedown = new Parsedown(); |
274 | 281 | ||
@@ -278,7 +285,7 @@ function process_markdown($description) | |||
278 | $processedDescription = reverse_text2clickable($processedDescription); | 285 | $processedDescription = reverse_text2clickable($processedDescription); |
279 | $processedDescription = unescape($processedDescription); | 286 | $processedDescription = unescape($processedDescription); |
280 | $processedDescription = $parsedown | 287 | $processedDescription = $parsedown |
281 | ->setMarkupEscaped(false) | 288 | ->setMarkupEscaped($escape) |
282 | ->setBreaksEnabled(true) | 289 | ->setBreaksEnabled(true) |
283 | ->text($processedDescription); | 290 | ->text($processedDescription); |
284 | $processedDescription = sanitize_html($processedDescription); | 291 | $processedDescription = sanitize_html($processedDescription); |
diff --git a/tests/Updater/UpdaterTest.php b/tests/Updater/UpdaterTest.php index 4948fe52..17d1ba81 100644 --- a/tests/Updater/UpdaterTest.php +++ b/tests/Updater/UpdaterTest.php | |||
@@ -385,4 +385,69 @@ $GLOBALS[\'privateLinkByDefault\'] = true;'; | |||
385 | $this->assertTrue($updater->updateMethodDatastoreIds()); | 385 | $this->assertTrue($updater->updateMethodDatastoreIds()); |
386 | $this->assertEquals($checksum, hash_file('sha1', self::$testDatastore)); | 386 | $this->assertEquals($checksum, hash_file('sha1', self::$testDatastore)); |
387 | } | 387 | } |
388 | |||
389 | /** | ||
390 | * Test updateMethodEscapeMarkdown with markdown plugin enabled | ||
391 | * => setting markdown_escape set to false. | ||
392 | */ | ||
393 | public function testEscapeMarkdownSettingToFalse() | ||
394 | { | ||
395 | $sandboxConf = 'sandbox/config'; | ||
396 | copy(self::$configFile . '.json.php', $sandboxConf . '.json.php'); | ||
397 | $this->conf = new ConfigManager($sandboxConf); | ||
398 | |||
399 | $this->conf->set('general.enabled_plugins', ['markdown']); | ||
400 | $updater = new Updater([], [], $this->conf, true); | ||
401 | $this->assertTrue($updater->updateMethodEscapeMarkdown()); | ||
402 | $this->assertFalse($this->conf->get('security.markdown_escape')); | ||
403 | |||
404 | // reload from file | ||
405 | $this->conf = new ConfigManager($sandboxConf); | ||
406 | $this->assertFalse($this->conf->get('security.markdown_escape')); | ||
407 | } | ||
408 | |||
409 | /** | ||
410 | * Test updateMethodEscapeMarkdown with markdown plugin disabled | ||
411 | * => setting markdown_escape set to true. | ||
412 | */ | ||
413 | public function testEscapeMarkdownSettingToTrue() | ||
414 | { | ||
415 | $sandboxConf = 'sandbox/config'; | ||
416 | copy(self::$configFile . '.json.php', $sandboxConf . '.json.php'); | ||
417 | $this->conf = new ConfigManager($sandboxConf); | ||
418 | |||
419 | $this->conf->set('general.enabled_plugins', []); | ||
420 | $updater = new Updater([], [], $this->conf, true); | ||
421 | $this->assertTrue($updater->updateMethodEscapeMarkdown()); | ||
422 | $this->assertTrue($this->conf->get('security.markdown_escape')); | ||
423 | |||
424 | // reload from file | ||
425 | $this->conf = new ConfigManager($sandboxConf); | ||
426 | $this->assertTrue($this->conf->get('security.markdown_escape')); | ||
427 | } | ||
428 | |||
429 | /** | ||
430 | * Test updateMethodEscapeMarkdown with nothing to do (setting already enabled) | ||
431 | */ | ||
432 | public function testEscapeMarkdownSettingNothingToDoEnabled() | ||
433 | { | ||
434 | $sandboxConf = 'sandbox/config'; | ||
435 | copy(self::$configFile . '.json.php', $sandboxConf . '.json.php'); | ||
436 | $this->conf = new ConfigManager($sandboxConf); | ||
437 | $this->conf->set('security.markdown_escape', true); | ||
438 | $updater = new Updater([], [], $this->conf, true); | ||
439 | $this->assertTrue($updater->updateMethodEscapeMarkdown()); | ||
440 | $this->assertTrue($this->conf->get('security.markdown_escape')); | ||
441 | } | ||
442 | |||
443 | /** | ||
444 | * Test updateMethodEscapeMarkdown with nothing to do (setting already disabled) | ||
445 | */ | ||
446 | public function testEscapeMarkdownSettingNothingToDoDisabled() | ||
447 | { | ||
448 | $this->conf->set('security.markdown_escape', false); | ||
449 | $updater = new Updater([], [], $this->conf, true); | ||
450 | $this->assertTrue($updater->updateMethodEscapeMarkdown()); | ||
451 | $this->assertFalse($this->conf->get('security.markdown_escape')); | ||
452 | } | ||
388 | } | 453 | } |
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php index 17ef2280..f1e1acf8 100644 --- a/tests/plugins/PluginMarkdownTest.php +++ b/tests/plugins/PluginMarkdownTest.php | |||
@@ -14,11 +14,17 @@ require_once 'plugins/markdown/markdown.php'; | |||
14 | class PluginMarkdownTest extends PHPUnit_Framework_TestCase | 14 | class PluginMarkdownTest extends PHPUnit_Framework_TestCase |
15 | { | 15 | { |
16 | /** | 16 | /** |
17 | * @var ConfigManager instance. | ||
18 | */ | ||
19 | protected $conf; | ||
20 | |||
21 | /** | ||
17 | * Reset plugin path | 22 | * Reset plugin path |
18 | */ | 23 | */ |
19 | function setUp() | 24 | function setUp() |
20 | { | 25 | { |
21 | PluginManager::$PLUGINS_PATH = 'plugins'; | 26 | PluginManager::$PLUGINS_PATH = 'plugins'; |
27 | $this->conf = new ConfigManager('tests/utils/config/configJson'); | ||
22 | } | 28 | } |
23 | 29 | ||
24 | /** | 30 | /** |
@@ -36,7 +42,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
36 | ), | 42 | ), |
37 | ); | 43 | ); |
38 | 44 | ||
39 | $data = hook_markdown_render_linklist($data); | 45 | $data = hook_markdown_render_linklist($data, $this->conf); |
40 | $this->assertNotFalse(strpos($data['links'][0]['description'], '<h1>')); | 46 | $this->assertNotFalse(strpos($data['links'][0]['description'], '<h1>')); |
41 | $this->assertNotFalse(strpos($data['links'][0]['description'], '<p>')); | 47 | $this->assertNotFalse(strpos($data['links'][0]['description'], '<p>')); |
42 | } | 48 | } |
@@ -61,7 +67,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
61 | ), | 67 | ), |
62 | ); | 68 | ); |
63 | 69 | ||
64 | $data = hook_markdown_render_daily($data); | 70 | $data = hook_markdown_render_daily($data, $this->conf); |
65 | $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<h1>')); | 71 | $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<h1>')); |
66 | $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<p>')); | 72 | $this->assertNotFalse(strpos($data['cols'][0][0]['formatedDescription'], '<p>')); |
67 | } | 73 | } |
@@ -110,6 +116,8 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
110 | $output = escape($input); | 116 | $output = escape($input); |
111 | $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>'; | 117 | $input .= '<a href="#" onmouseHover="alert(\'xss\');" attr="tt">link</a>'; |
112 | $output .= '<a href="#" attr="tt">link</a>'; | 118 | $output .= '<a href="#" attr="tt">link</a>'; |
119 | $input .= '<a href="#" onmouseHover=alert(\'xss\'); attr="tt">link</a>'; | ||
120 | $output .= '<a href="#" attr="tt">link</a>'; | ||
113 | $this->assertEquals($output, sanitize_html($input)); | 121 | $this->assertEquals($output, sanitize_html($input)); |
114 | // Do not touch escaped HTML. | 122 | // Do not touch escaped HTML. |
115 | $input = escape($input); | 123 | $input = escape($input); |
@@ -130,10 +138,10 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
130 | )) | 138 | )) |
131 | ); | 139 | ); |
132 | 140 | ||
133 | $processed = hook_markdown_render_linklist($data); | 141 | $processed = hook_markdown_render_linklist($data, $this->conf); |
134 | $this->assertEquals($str, $processed['links'][0]['description']); | 142 | $this->assertEquals($str, $processed['links'][0]['description']); |
135 | 143 | ||
136 | $processed = hook_markdown_render_feed($data); | 144 | $processed = hook_markdown_render_feed($data, $this->conf); |
137 | $this->assertEquals($str, $processed['links'][0]['description']); | 145 | $this->assertEquals($str, $processed['links'][0]['description']); |
138 | 146 | ||
139 | $data = array( | 147 | $data = array( |
@@ -151,7 +159,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
151 | ), | 159 | ), |
152 | ); | 160 | ); |
153 | 161 | ||
154 | $data = hook_markdown_render_daily($data); | 162 | $data = hook_markdown_render_daily($data, $this->conf); |
155 | $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']); | 163 | $this->assertEquals($str, $data['cols'][0][0]['formatedDescription']); |
156 | } | 164 | } |
157 | 165 | ||
@@ -169,7 +177,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
169 | )) | 177 | )) |
170 | ); | 178 | ); |
171 | 179 | ||
172 | $data = hook_markdown_render_feed($data); | 180 | $data = hook_markdown_render_feed($data, $this->conf); |
173 | $this->assertContains('<em>', $data['links'][0]['description']); | 181 | $this->assertContains('<em>', $data['links'][0]['description']); |
174 | } | 182 | } |
175 | 183 | ||
@@ -185,4 +193,41 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
185 | $data = process_markdown($md); | 193 | $data = process_markdown($md); |
186 | $this->assertEquals($html, $data); | 194 | $this->assertEquals($html, $data); |
187 | } | 195 | } |
196 | |||
197 | /** | ||
198 | * Make sure that the HTML tags are escaped. | ||
199 | */ | ||
200 | public function testMarkdownWithHtmlEscape() | ||
201 | { | ||
202 | $md = '**strong** <strong>strong</strong>'; | ||
203 | $html = '<div class="markdown"><p><strong>strong</strong> <strong>strong</strong></p></div>'; | ||
204 | $data = array( | ||
205 | 'links' => array( | ||
206 | 0 => array( | ||
207 | 'description' => $md, | ||
208 | ), | ||
209 | ), | ||
210 | ); | ||
211 | $data = hook_markdown_render_linklist($data, $this->conf); | ||
212 | $this->assertEquals($html, $data['links'][0]['description']); | ||
213 | } | ||
214 | |||
215 | /** | ||
216 | * Make sure that the HTML tags aren't escaped with the setting set to false. | ||
217 | */ | ||
218 | public function testMarkdownWithHtmlNoEscape() | ||
219 | { | ||
220 | $this->conf->set('security.markdown_escape', false); | ||
221 | $md = '**strong** <strong>strong</strong>'; | ||
222 | $html = '<div class="markdown"><p><strong>strong</strong> <strong>strong</strong></p></div>'; | ||
223 | $data = array( | ||
224 | 'links' => array( | ||
225 | 0 => array( | ||
226 | 'description' => $md, | ||
227 | ), | ||
228 | ), | ||
229 | ); | ||
230 | $data = hook_markdown_render_linklist($data, $this->conf); | ||
231 | $this->assertEquals($html, $data['links'][0]['description']); | ||
232 | } | ||
188 | } | 233 | } |
diff --git a/tests/plugins/resources/markdown.html b/tests/plugins/resources/markdown.html index c0fbe7f4..07a5a32e 100644 --- a/tests/plugins/resources/markdown.html +++ b/tests/plugins/resources/markdown.html | |||
@@ -12,11 +12,11 @@ | |||
12 | <li><a href="http://link.tld">two</a></li> | 12 | <li><a href="http://link.tld">two</a></li> |
13 | <li><a href="http://link.tld">three</a></li> | 13 | <li><a href="http://link.tld">three</a></li> |
14 | <li><a href="http://link.tld">four</a></li> | 14 | <li><a href="http://link.tld">four</a></li> |
15 | <li>foo <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a></li> | 15 | <li>foo <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a></li> |
16 | </ol></li> | 16 | </ol></li> |
17 | </ol> | 17 | </ol> |
18 | <p><a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> foo <code>lol #foo</code> <a href="?addtag=bar" title="Hashtag bar">#bar</a></p> | 18 | <p><a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> foo <code>lol #foo</code> <a href="?addtag=bar" title="Hashtag bar">#bar</a></p> |
19 | <p>fsdfs <a href="http://link.tld">http://link.tld</a> <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> <code>http://link.tld</code></p> | 19 | <p>fsdfs <a href="http://link.tld">http://link.tld</a> <a href="?addtag=foobar" title="Hashtag foobar">#foobar</a> <code>http://link.tld</code></p> |
20 | <pre><code>http://link.tld #foobar | 20 | <pre><code>http://link.tld #foobar |
21 | next #foo</code></pre> | 21 | next #foo</code></pre> |
22 | <p>Block:</p> | 22 | <p>Block:</p> |