4 files changed, 57 insertions, 11 deletions
diff --git a/plugins/markdown/help.html b/plugins/markdown/help.html
index 9c4e5ae0..ded3d347 100644
--- a/plugins/markdown/help.html
+++ b/plugins/markdown/help.html
@@ -1,5 +1,5 @@
 <div class="md_help">
-    Description will be rendered with
+    %s
-    <a href="http://daringfireball.net/projects/markdown/syntax" title="Markdown syntax documentation">
+    <a href="http://daringfireball.net/projects/markdown/syntax" title="%s">
-        Markdown syntax</a>.
+        %s</a>.
 </div>
diff --git a/plugins/markdown/markdown.css b/plugins/markdown/markdown.css
index 6789ce84..ce19cd2a 100644
--- a/plugins/markdown/markdown.css
+++ b/plugins/markdown/markdown.css
@@ -150,7 +150,7 @@
    box-shadow: 0 -1px 0 #e5e5e5,0 0 1px rgba(0,0,0,0.12),0 1px 1px rgba(0,0,0,0.24);
 }
-.md_help {
+#pageheader .md_help {
    color: white;
 }
diff --git a/plugins/markdown/markdown.meta b/plugins/markdown/markdown.meta
index 8df2ed0b..322856ea 100644
--- a/plugins/markdown/markdown.meta
+++ b/plugins/markdown/markdown.meta
@@ -1,4 +1,4 @@
 description="Render shaare description with Markdown syntax.<br><strong>Warning</strong>:
-If your shaared descriptions containing HTML tags before enabling the markdown plugin,
+If your shaared descriptions contained HTML tags before enabling the markdown plugin,
 enabling it might break your page.
 See the <a href=\"https://github.com/shaarli/Shaarli/tree/master/plugins/markdown#html-rendering\">README</a>."
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php
index de7c823d..1531549d 100644
--- a/plugins/markdown/markdown.php
+++ b/plugins/markdown/markdown.php
@@ -26,7 +26,11 @@ function hook_markdown_render_linklist($data, $conf)
            $value = stripNoMarkdownTag($value);
            continue;
        }
-        $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true));
+        $value['description'] = process_markdown(
+            $value['description'],
+            $conf->get('security.markdown_escape', true),
+            $conf->get('security.allowed_protocols')
+        );
    }
    return $data;
 }
@@ -46,7 +50,11 @@ function hook_markdown_render_feed($data, $conf)
            $value = stripNoMarkdownTag($value);
            continue;
        }
-        $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true));
+        $value['description'] = process_markdown(
+            $value['description'],
+            $conf->get('security.markdown_escape', true),
+            $conf->get('security.allowed_protocols')
+        );
    }
    return $data;
@@ -71,7 +79,8 @@ function hook_markdown_render_daily($data, $conf)
            }
            $value2['formatedDescription'] = process_markdown(
                $value2['formatedDescription'],
-                $conf->get('security.markdown_escape', true)
+                $conf->get('security.markdown_escape', true),
+                $conf->get('security.allowed_protocols')
            );
        }
    }
@@ -145,8 +154,13 @@ function hook_markdown_render_includes($data)
 function hook_markdown_render_editlink($data)
 {
    // Load help HTML into a string
-    $data['edit_link_plugin'][] = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html');
+    $txt = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html');
+    $translations = [
+        t('Description will be rendered with'),
+        t('Markdown syntax documentation'),
+        t('Markdown syntax'),
+    ];
+    $data['edit_link_plugin'][] = vsprintf($txt, $translations);
    // Add no markdown 'meta-tag' in tag list if it was never used, for autocompletion.
    if (! in_array(NO_MD_TAG, $data['tags'])) {
        $data['tags'][NO_MD_TAG] = 0;
@@ -232,6 +246,25 @@ function reverse_space2nbsp($description)
 }
 /**
+ * Replace not whitelisted protocols with http:// in given description.
+ *
+ * @param string $description      input description text.
+ * @param array  $allowedProtocols list of allowed protocols.
+ *
+ * @return string $description without malicious link.
+ */
+function filter_protocols($description, $allowedProtocols)
+{
+    return preg_replace_callback(
+        '#]\((.*?)\)#is',
+        function ($match) use ($allowedProtocols) {
+            return ']('. whitelist_protocols($match[1], $allowedProtocols) .')';
+        },
+        $description
+    );
+}
+/**
 * Remove dangerous HTML tags (tags, iframe, etc.).
 * Doesn't affect <code> content (already escaped by Parsedown).
 *
@@ -275,7 +308,7 @@ function sanitize_html($description)
 *
 * @return string HTML processed $description.
 */
-function process_markdown($description, $escape = true)
+function process_markdown($description, $escape = true, $allowedProtocols = [])
 {
    $parsedown = new Parsedown();
@@ -283,6 +316,7 @@ function process_markdown($description, $escape = true)
    $processedDescription = reverse_nl2br($processedDescription);
    $processedDescription = reverse_space2nbsp($processedDescription);
    $processedDescription = reverse_text2clickable($processedDescription);
+    $processedDescription = filter_protocols($processedDescription, $allowedProtocols);
    $processedDescription = unescape($processedDescription);
    $processedDescription = $parsedown
        ->setMarkupEscaped($escape)
@@ -296,3 +330,15 @@ function process_markdown($description, $escape = true)
    return $processedDescription;
 }
+/**
+ * This function is never called, but contains translation calls for GNU gettext extraction.
+ */
+function markdown_dummy_translation()
+{
+    // meta
+    t('Render shaare description with Markdown syntax.<br><strong>Warning</strong>:
+If your shaared descriptions contained HTML tags before enabling the markdown plugin,
+enabling it might break your page.
+See the <a href="https://github.com/shaarli/Shaarli/tree/master/plugins/markdown#html-rendering">README</a>.');
+}

diff --git a/plugins/markdown/help.html b/plugins/markdown/help.html index 9c4e5ae0..ded3d347 100644 --- a/plugins/markdown/help.html +++ b/plugins/markdown/help.html
@@ -1,5 +1,5 @@
1	<div class="md_help">	1	<div class="md_help">
2	Description will be rendered with	2	%s
3	<a href="http://daringfireball.net/projects/markdown/syntax" title="Markdown syntax documentation">	3	<a href="http://daringfireball.net/projects/markdown/syntax" title="%s">
4	Markdown syntax</a>.	4	%s</a>.
5	</div>	5	</div>


diff --git a/plugins/markdown/markdown.css b/plugins/markdown/markdown.css index 6789ce84..ce19cd2a 100644 --- a/plugins/markdown/markdown.css +++ b/plugins/markdown/markdown.css
@@ -150,7 +150,7 @@
150	box-shadow: 0 -1px 0 #e5e5e5,0 0 1px rgba(0,0,0,0.12),0 1px 1px rgba(0,0,0,0.24);	150	box-shadow: 0 -1px 0 #e5e5e5,0 0 1px rgba(0,0,0,0.12),0 1px 1px rgba(0,0,0,0.24);
151	}	151	}
152		152
153	.md_help {	153	#pageheader .md_help {
154	color: white;	154	color: white;
155	}	155	}
156		156


diff --git a/plugins/markdown/markdown.meta b/plugins/markdown/markdown.meta index 8df2ed0b..322856ea 100644 --- a/plugins/markdown/markdown.meta +++ b/plugins/markdown/markdown.meta
@@ -1,4 +1,4 @@
1	description="Render shaare description with Markdown syntax.<br><strong>Warning</strong>:	1	description="Render shaare description with Markdown syntax.<br><strong>Warning</strong>:
2	If your shaared descriptions containing HTML tags before enabling the markdown plugin,	2	If your shaared descriptions contained HTML tags before enabling the markdown plugin,
3	enabling it might break your page.	3	enabling it might break your page.
4	See the <a href=\"https://github.com/shaarli/Shaarli/tree/master/plugins/markdown#html-rendering\">README</a>."	4	See the <a href=\"https://github.com/shaarli/Shaarli/tree/master/plugins/markdown#html-rendering\">README</a>."


diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index de7c823d..1531549d 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php
@@ -26,7 +26,11 @@ function hook_markdown_render_linklist($data, $conf)
26	$value = stripNoMarkdownTag($value);	26	$value = stripNoMarkdownTag($value);
27	continue;	27	continue;
28	}	28	}
29	$value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true));	29	$value['description'] = process_markdown(
		30	$value['description'],
		31	$conf->get('security.markdown_escape', true),
		32	$conf->get('security.allowed_protocols')
		33	);
30	}	34	}
31	return $data;	35	return $data;
32	}	36	}
@@ -46,7 +50,11 @@ function hook_markdown_render_feed($data, $conf)
46	$value = stripNoMarkdownTag($value);	50	$value = stripNoMarkdownTag($value);
47	continue;	51	continue;
48	}	52	}
49	$value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true));	53	$value['description'] = process_markdown(
		54	$value['description'],
		55	$conf->get('security.markdown_escape', true),
		56	$conf->get('security.allowed_protocols')
		57	);
50	}	58	}
51		59
52	return $data;	60	return $data;
@@ -71,7 +79,8 @@ function hook_markdown_render_daily($data, $conf)
71	}	79	}
72	$value2['formatedDescription'] = process_markdown(	80	$value2['formatedDescription'] = process_markdown(
73	$value2['formatedDescription'],	81	$value2['formatedDescription'],
74	$conf->get('security.markdown_escape', true)	82	$conf->get('security.markdown_escape', true),
		83	$conf->get('security.allowed_protocols')
75	);	84	);
76	}	85	}
77	}	86	}
@@ -145,8 +154,13 @@ function hook_markdown_render_includes($data)
145	function hook_markdown_render_editlink($data)	154	function hook_markdown_render_editlink($data)
146	{	155	{
147	// Load help HTML into a string	156	// Load help HTML into a string
148	$data['edit_link_plugin'][] = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html');	157	$txt = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html');
149		158	$translations = [
		159	t('Description will be rendered with'),
		160	t('Markdown syntax documentation'),
		161	t('Markdown syntax'),
		162	];
		163	$data['edit_link_plugin'][] = vsprintf($txt, $translations);
150	// Add no markdown 'meta-tag' in tag list if it was never used, for autocompletion.	164	// Add no markdown 'meta-tag' in tag list if it was never used, for autocompletion.
151	if (! in_array(NO_MD_TAG, $data['tags'])) {	165	if (! in_array(NO_MD_TAG, $data['tags'])) {
152	$data['tags'][NO_MD_TAG] = 0;	166	$data['tags'][NO_MD_TAG] = 0;
@@ -232,6 +246,25 @@ function reverse_space2nbsp($description)
232	}	246	}
233		247
234	/**	248	/**
		249	* Replace not whitelisted protocols with http:// in given description.
		250	*
		251	* @param string $description input description text.
		252	* @param array $allowedProtocols list of allowed protocols.
		253	*
		254	* @return string $description without malicious link.
		255	*/
		256	function filter_protocols($description, $allowedProtocols)
		257	{
		258	return preg_replace_callback(
		259	'#]\((.*?)\)#is',
		260	function ($match) use ($allowedProtocols) {
		261	return ']('. whitelist_protocols($match[1], $allowedProtocols) .')';
		262	},
		263	$description
		264	);
		265	}
		266
		267	/**
235	* Remove dangerous HTML tags (tags, iframe, etc.).	268	* Remove dangerous HTML tags (tags, iframe, etc.).
236	* Doesn't affect <code> content (already escaped by Parsedown).	269	* Doesn't affect <code> content (already escaped by Parsedown).
237	*	270	*
@@ -275,7 +308,7 @@ function sanitize_html($description)
275	*	308	*
276	* @return string HTML processed $description.	309	* @return string HTML processed $description.
277	*/	310	*/
278	function process_markdown($description, $escape = true)	311	function process_markdown($description, $escape = true, $allowedProtocols = [])
279	{	312	{
280	$parsedown = new Parsedown();	313	$parsedown = new Parsedown();
281		314
@@ -283,6 +316,7 @@ function process_markdown($description, $escape = true)
283	$processedDescription = reverse_nl2br($processedDescription);	316	$processedDescription = reverse_nl2br($processedDescription);
284	$processedDescription = reverse_space2nbsp($processedDescription);	317	$processedDescription = reverse_space2nbsp($processedDescription);
285	$processedDescription = reverse_text2clickable($processedDescription);	318	$processedDescription = reverse_text2clickable($processedDescription);
		319	$processedDescription = filter_protocols($processedDescription, $allowedProtocols);
286	$processedDescription = unescape($processedDescription);	320	$processedDescription = unescape($processedDescription);
287	$processedDescription = $parsedown	321	$processedDescription = $parsedown
288	->setMarkupEscaped($escape)	322	->setMarkupEscaped($escape)
@@ -296,3 +330,15 @@ function process_markdown($description, $escape = true)
296		330
297	return $processedDescription;	331	return $processedDescription;
298	}	332	}
		333
		334	/**
		335	* This function is never called, but contains translation calls for GNU gettext extraction.
		336	*/
		337	function markdown_dummy_translation()
		338	{
		339	// meta
		340	t('Render shaare description with Markdown syntax.<br><strong>Warning</strong>:
		341	If your shaared descriptions contained HTML tags before enabling the markdown plugin,
		342	enabling it might break your page.
		343	See the <a href="https://github.com/shaarli/Shaarli/tree/master/plugins/markdown#html-rendering">README</a>.');
		344	}