aboutsummaryrefslogtreecommitdiffhomepage
path: root/plugins/markdown/markdown.php
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/markdown/markdown.php')
-rw-r--r--plugins/markdown/markdown.php58
1 files changed, 52 insertions, 6 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php
index de7c823d..1531549d 100644
--- a/plugins/markdown/markdown.php
+++ b/plugins/markdown/markdown.php
@@ -26,7 +26,11 @@ function hook_markdown_render_linklist($data, $conf)
26 $value = stripNoMarkdownTag($value); 26 $value = stripNoMarkdownTag($value);
27 continue; 27 continue;
28 } 28 }
29 $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); 29 $value['description'] = process_markdown(
30 $value['description'],
31 $conf->get('security.markdown_escape', true),
32 $conf->get('security.allowed_protocols')
33 );
30 } 34 }
31 return $data; 35 return $data;
32} 36}
@@ -46,7 +50,11 @@ function hook_markdown_render_feed($data, $conf)
46 $value = stripNoMarkdownTag($value); 50 $value = stripNoMarkdownTag($value);
47 continue; 51 continue;
48 } 52 }
49 $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); 53 $value['description'] = process_markdown(
54 $value['description'],
55 $conf->get('security.markdown_escape', true),
56 $conf->get('security.allowed_protocols')
57 );
50 } 58 }
51 59
52 return $data; 60 return $data;
@@ -71,7 +79,8 @@ function hook_markdown_render_daily($data, $conf)
71 } 79 }
72 $value2['formatedDescription'] = process_markdown( 80 $value2['formatedDescription'] = process_markdown(
73 $value2['formatedDescription'], 81 $value2['formatedDescription'],
74 $conf->get('security.markdown_escape', true) 82 $conf->get('security.markdown_escape', true),
83 $conf->get('security.allowed_protocols')
75 ); 84 );
76 } 85 }
77 } 86 }
@@ -145,8 +154,13 @@ function hook_markdown_render_includes($data)
145function hook_markdown_render_editlink($data) 154function hook_markdown_render_editlink($data)
146{ 155{
147 // Load help HTML into a string 156 // Load help HTML into a string
148 $data['edit_link_plugin'][] = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html'); 157 $txt = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html');
149 158 $translations = [
159 t('Description will be rendered with'),
160 t('Markdown syntax documentation'),
161 t('Markdown syntax'),
162 ];
163 $data['edit_link_plugin'][] = vsprintf($txt, $translations);
150 // Add no markdown 'meta-tag' in tag list if it was never used, for autocompletion. 164 // Add no markdown 'meta-tag' in tag list if it was never used, for autocompletion.
151 if (! in_array(NO_MD_TAG, $data['tags'])) { 165 if (! in_array(NO_MD_TAG, $data['tags'])) {
152 $data['tags'][NO_MD_TAG] = 0; 166 $data['tags'][NO_MD_TAG] = 0;
@@ -232,6 +246,25 @@ function reverse_space2nbsp($description)
232} 246}
233 247
234/** 248/**
249 * Replace not whitelisted protocols with http:// in given description.
250 *
251 * @param string $description input description text.
252 * @param array $allowedProtocols list of allowed protocols.
253 *
254 * @return string $description without malicious link.
255 */
256function filter_protocols($description, $allowedProtocols)
257{
258 return preg_replace_callback(
259 '#]\((.*?)\)#is',
260 function ($match) use ($allowedProtocols) {
261 return ']('. whitelist_protocols($match[1], $allowedProtocols) .')';
262 },
263 $description
264 );
265}
266
267/**
235 * Remove dangerous HTML tags (tags, iframe, etc.). 268 * Remove dangerous HTML tags (tags, iframe, etc.).
236 * Doesn't affect <code> content (already escaped by Parsedown). 269 * Doesn't affect <code> content (already escaped by Parsedown).
237 * 270 *
@@ -275,7 +308,7 @@ function sanitize_html($description)
275 * 308 *
276 * @return string HTML processed $description. 309 * @return string HTML processed $description.
277 */ 310 */
278function process_markdown($description, $escape = true) 311function process_markdown($description, $escape = true, $allowedProtocols = [])
279{ 312{
280 $parsedown = new Parsedown(); 313 $parsedown = new Parsedown();
281 314
@@ -283,6 +316,7 @@ function process_markdown($description, $escape = true)
283 $processedDescription = reverse_nl2br($processedDescription); 316 $processedDescription = reverse_nl2br($processedDescription);
284 $processedDescription = reverse_space2nbsp($processedDescription); 317 $processedDescription = reverse_space2nbsp($processedDescription);
285 $processedDescription = reverse_text2clickable($processedDescription); 318 $processedDescription = reverse_text2clickable($processedDescription);
319 $processedDescription = filter_protocols($processedDescription, $allowedProtocols);
286 $processedDescription = unescape($processedDescription); 320 $processedDescription = unescape($processedDescription);
287 $processedDescription = $parsedown 321 $processedDescription = $parsedown
288 ->setMarkupEscaped($escape) 322 ->setMarkupEscaped($escape)
@@ -296,3 +330,15 @@ function process_markdown($description, $escape = true)
296 330
297 return $processedDescription; 331 return $processedDescription;
298} 332}
333
334/**
335 * This function is never called, but contains translation calls for GNU gettext extraction.
336 */
337function markdown_dummy_translation()
338{
339 // meta
340 t('Render shaare description with Markdown syntax.<br><strong>Warning</strong>:
341If your shaared descriptions contained HTML tags before enabling the markdown plugin,
342enabling it might break your page.
343See the <a href="https://github.com/shaarli/Shaarli/tree/master/plugins/markdown#html-rendering">README</a>.');
344}