From 9ff17ae20effa5d54fd8481c19518123590e3bd0 Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Mon, 27 Feb 2017 19:45:55 +0100 Subject: Add markdown_escape setting This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README --- application/Updater.php | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'application/Updater.php') diff --git a/application/Updater.php b/application/Updater.php index f0d02814..555d4c25 100644 --- a/application/Updater.php +++ b/application/Updater.php @@ -256,6 +256,28 @@ class Updater return true; } + + /** + * * `markdown_escape` is a new setting, set to true as default. + * + * If the markdown plugin was already enabled, escaping is disabled to avoid + * breaking existing entries. + */ + public function updateMethodEscapeMarkdown() + { + if ($this->conf->exists('security.markdown_escape')) { + return true; + } + + if (in_array('markdown', $this->conf->get('general.enabled_plugins'))) { + $this->conf->set('security.markdown_escape', false); + } else { + $this->conf->set('security.markdown_escape', true); + } + $this->conf->write($this->isLoggedIn); + + return true; + } } /** -- cgit v1.2.3