diff options
Diffstat (limited to 'plugins/markdown')
| -rw-r--r-- | plugins/markdown/markdown.php | 37 |
1 files changed, 29 insertions, 8 deletions
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index 3630ef14..a45b6574 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php | |||
| @@ -117,23 +117,43 @@ function reverse_space2nbsp($description) | |||
| 117 | } | 117 | } |
| 118 | 118 | ||
| 119 | /** | 119 | /** |
| 120 | * Remove '>' at start of line auto generated by Shaarli core system | 120 | * Remove dangerous HTML tags (tags, iframe, etc.). |
| 121 | * to allow markdown blockquotes. | 121 | * Doesn't affect <code> content (already escaped by Parsedown). |
| 122 | * | 122 | * |
| 123 | * @param string $description input description text. | 123 | * @param string $description input description text. |
| 124 | * | 124 | * |
| 125 | * @return string $description without HTML links. | 125 | * @return string given string escaped. |
| 126 | */ | 126 | */ |
| 127 | function reset_quote_tags($description) | 127 | function sanitize_html($description) |
| 128 | { | 128 | { |
| 129 | return preg_replace('/^( *)> /m', '$1> ', $description); | 129 | $escapeTags = array( |
| 130 | 'script', | ||
| 131 | 'style', | ||
| 132 | 'link', | ||
| 133 | 'iframe', | ||
| 134 | 'frameset', | ||
| 135 | 'frame', | ||
| 136 | ); | ||
| 137 | foreach ($escapeTags as $tag) { | ||
| 138 | $description = preg_replace_callback( | ||
| 139 | '#<\s*'. $tag .'[^>]*>(.*</\s*'. $tag .'[^>]*>)?#is', | ||
| 140 | function ($match) { return escape($match[0]); }, | ||
| 141 | $description); | ||
| 142 | } | ||
| 143 | $description = preg_replace( | ||
| 144 | '#(<[^>]+)on[a-z]*="[^"]*"#is', | ||
| 145 | '$1', | ||
| 146 | $description); | ||
| 147 | return $description; | ||
| 130 | } | 148 | } |
| 131 | 149 | ||
| 132 | /** | 150 | /** |
| 133 | * Render shaare contents through Markdown parser. | 151 | * Render shaare contents through Markdown parser. |
| 134 | * 1. Remove HTML generated by Shaarli core. | 152 | * 1. Remove HTML generated by Shaarli core. |
| 135 | * 2. Generate markdown descriptions. | 153 | * 2. Reverse the escape function. |
| 136 | * 3. Wrap description in 'markdown' CSS class. | 154 | * 3. Generate markdown descriptions. |
| 155 | * 4. Sanitize sensible HTML tags for security. | ||
| 156 | * 5. Wrap description in 'markdown' CSS class. | ||
| 137 | * | 157 | * |
| 138 | * @param string $description input description text. | 158 | * @param string $description input description text. |
| 139 | * | 159 | * |
| @@ -147,11 +167,12 @@ function process_markdown($description) | |||
| 147 | $processedDescription = reverse_text2clickable($processedDescription); | 167 | $processedDescription = reverse_text2clickable($processedDescription); |
| 148 | $processedDescription = reverse_nl2br($processedDescription); | 168 | $processedDescription = reverse_nl2br($processedDescription); |
| 149 | $processedDescription = reverse_space2nbsp($processedDescription); | 169 | $processedDescription = reverse_space2nbsp($processedDescription); |
| 150 | $processedDescription = reset_quote_tags($processedDescription); | 170 | $processedDescription = unescape($processedDescription); |
| 151 | $processedDescription = $parsedown | 171 | $processedDescription = $parsedown |
| 152 | ->setMarkupEscaped(false) | 172 | ->setMarkupEscaped(false) |
| 153 | ->setBreaksEnabled(true) | 173 | ->setBreaksEnabled(true) |
| 154 | ->text($processedDescription); | 174 | ->text($processedDescription); |
| 175 | $processedDescription = sanitize_html($processedDescription); | ||
| 155 | $processedDescription = '<div class="markdown">'. $processedDescription . '</div>'; | 176 | $processedDescription = '<div class="markdown">'. $processedDescription . '</div>'; |
| 156 | 177 | ||
| 157 | return $processedDescription; | 178 | return $processedDescription; |