diff options
Diffstat (limited to 'plugins/markdown/markdown.php')
-rw-r--r-- | plugins/markdown/markdown.php | 58 |
1 files changed, 52 insertions, 6 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index de7c823d..1531549d 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php | |||
@@ -26,7 +26,11 @@ function hook_markdown_render_linklist($data, $conf) | |||
26 | $value = stripNoMarkdownTag($value); | 26 | $value = stripNoMarkdownTag($value); |
27 | continue; | 27 | continue; |
28 | } | 28 | } |
29 | $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); | 29 | $value['description'] = process_markdown( |
30 | $value['description'], | ||
31 | $conf->get('security.markdown_escape', true), | ||
32 | $conf->get('security.allowed_protocols') | ||
33 | ); | ||
30 | } | 34 | } |
31 | return $data; | 35 | return $data; |
32 | } | 36 | } |
@@ -46,7 +50,11 @@ function hook_markdown_render_feed($data, $conf) | |||
46 | $value = stripNoMarkdownTag($value); | 50 | $value = stripNoMarkdownTag($value); |
47 | continue; | 51 | continue; |
48 | } | 52 | } |
49 | $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); | 53 | $value['description'] = process_markdown( |
54 | $value['description'], | ||
55 | $conf->get('security.markdown_escape', true), | ||
56 | $conf->get('security.allowed_protocols') | ||
57 | ); | ||
50 | } | 58 | } |
51 | 59 | ||
52 | return $data; | 60 | return $data; |
@@ -71,7 +79,8 @@ function hook_markdown_render_daily($data, $conf) | |||
71 | } | 79 | } |
72 | $value2['formatedDescription'] = process_markdown( | 80 | $value2['formatedDescription'] = process_markdown( |
73 | $value2['formatedDescription'], | 81 | $value2['formatedDescription'], |
74 | $conf->get('security.markdown_escape', true) | 82 | $conf->get('security.markdown_escape', true), |
83 | $conf->get('security.allowed_protocols') | ||
75 | ); | 84 | ); |
76 | } | 85 | } |
77 | } | 86 | } |
@@ -145,8 +154,13 @@ function hook_markdown_render_includes($data) | |||
145 | function hook_markdown_render_editlink($data) | 154 | function hook_markdown_render_editlink($data) |
146 | { | 155 | { |
147 | // Load help HTML into a string | 156 | // Load help HTML into a string |
148 | $data['edit_link_plugin'][] = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html'); | 157 | $txt = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html'); |
149 | 158 | $translations = [ | |
159 | t('Description will be rendered with'), | ||
160 | t('Markdown syntax documentation'), | ||
161 | t('Markdown syntax'), | ||
162 | ]; | ||
163 | $data['edit_link_plugin'][] = vsprintf($txt, $translations); | ||
150 | // Add no markdown 'meta-tag' in tag list if it was never used, for autocompletion. | 164 | // Add no markdown 'meta-tag' in tag list if it was never used, for autocompletion. |
151 | if (! in_array(NO_MD_TAG, $data['tags'])) { | 165 | if (! in_array(NO_MD_TAG, $data['tags'])) { |
152 | $data['tags'][NO_MD_TAG] = 0; | 166 | $data['tags'][NO_MD_TAG] = 0; |
@@ -232,6 +246,25 @@ function reverse_space2nbsp($description) | |||
232 | } | 246 | } |
233 | 247 | ||
234 | /** | 248 | /** |
249 | * Replace not whitelisted protocols with http:// in given description. | ||
250 | * | ||
251 | * @param string $description input description text. | ||
252 | * @param array $allowedProtocols list of allowed protocols. | ||
253 | * | ||
254 | * @return string $description without malicious link. | ||
255 | */ | ||
256 | function filter_protocols($description, $allowedProtocols) | ||
257 | { | ||
258 | return preg_replace_callback( | ||
259 | '#]\((.*?)\)#is', | ||
260 | function ($match) use ($allowedProtocols) { | ||
261 | return ']('. whitelist_protocols($match[1], $allowedProtocols) .')'; | ||
262 | }, | ||
263 | $description | ||
264 | ); | ||
265 | } | ||
266 | |||
267 | /** | ||
235 | * Remove dangerous HTML tags (tags, iframe, etc.). | 268 | * Remove dangerous HTML tags (tags, iframe, etc.). |
236 | * Doesn't affect <code> content (already escaped by Parsedown). | 269 | * Doesn't affect <code> content (already escaped by Parsedown). |
237 | * | 270 | * |
@@ -275,7 +308,7 @@ function sanitize_html($description) | |||
275 | * | 308 | * |
276 | * @return string HTML processed $description. | 309 | * @return string HTML processed $description. |
277 | */ | 310 | */ |
278 | function process_markdown($description, $escape = true) | 311 | function process_markdown($description, $escape = true, $allowedProtocols = []) |
279 | { | 312 | { |
280 | $parsedown = new Parsedown(); | 313 | $parsedown = new Parsedown(); |
281 | 314 | ||
@@ -283,6 +316,7 @@ function process_markdown($description, $escape = true) | |||
283 | $processedDescription = reverse_nl2br($processedDescription); | 316 | $processedDescription = reverse_nl2br($processedDescription); |
284 | $processedDescription = reverse_space2nbsp($processedDescription); | 317 | $processedDescription = reverse_space2nbsp($processedDescription); |
285 | $processedDescription = reverse_text2clickable($processedDescription); | 318 | $processedDescription = reverse_text2clickable($processedDescription); |
319 | $processedDescription = filter_protocols($processedDescription, $allowedProtocols); | ||
286 | $processedDescription = unescape($processedDescription); | 320 | $processedDescription = unescape($processedDescription); |
287 | $processedDescription = $parsedown | 321 | $processedDescription = $parsedown |
288 | ->setMarkupEscaped($escape) | 322 | ->setMarkupEscaped($escape) |
@@ -296,3 +330,15 @@ function process_markdown($description, $escape = true) | |||
296 | 330 | ||
297 | return $processedDescription; | 331 | return $processedDescription; |
298 | } | 332 | } |
333 | |||
334 | /** | ||
335 | * This function is never called, but contains translation calls for GNU gettext extraction. | ||
336 | */ | ||
337 | function markdown_dummy_translation() | ||
338 | { | ||
339 | // meta | ||
340 | t('Render shaare description with Markdown syntax.<br><strong>Warning</strong>: | ||
341 | If your shaared descriptions contained HTML tags before enabling the markdown plugin, | ||
342 | enabling it might break your page. | ||
343 | See the <a href="https://github.com/shaarli/Shaarli/tree/master/plugins/markdown#html-rendering">README</a>.'); | ||
344 | } | ||