From 2925687e1e86dc113116330efd547b9db5c0f1a6 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Fri, 19 Feb 2016 19:37:13 +0100
Subject: Markdown: don't escape content + sanitize sensible tags

Instead of trying to fix broken content for Markdown parsing, parse it unescaped, then sanatize sensible tags such as scripts, etc.
---
 plugins/markdown/markdown.php | 37 +++++++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 8 deletions(-)

(limited to 'plugins/markdown/markdown.php')

diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php
index 3630ef14..a45b6574 100644
--- a/plugins/markdown/markdown.php
+++ b/plugins/markdown/markdown.php
@@ -117,23 +117,43 @@ function reverse_space2nbsp($description)
 }
 
 /**
- * Remove '&gt;' at start of line auto generated by Shaarli core system
- * to allow markdown blockquotes.
+ * Remove dangerous HTML tags (tags, iframe, etc.).
+ * Doesn't affect <code> content (already escaped by Parsedown).
  *
  * @param string $description input description text.
  *
- * @return string $description without HTML links.
+ * @return string given string escaped.
  */
-function reset_quote_tags($description)
+function sanitize_html($description)
 {
-    return preg_replace('/^( *)&gt; /m', '$1> ', $description);
+    $escapeTags = array(
+        'script',
+        'style',
+        'link',
+        'iframe',
+        'frameset',
+        'frame',
+    );
+    foreach ($escapeTags as $tag) {
+        $description = preg_replace_callback(
+            '#<\s*'. $tag .'[^>]*>(.*</\s*'. $tag .'[^>]*>)?#is',
+            function ($match) { return escape($match[0]); },
+            $description);
+    }
+    $description = preg_replace(
+        '#(<[^>]+)on[a-z]*="[^"]*"#is',
+        '$1',
+        $description);
+    return $description;
 }
 
 /**
  * Render shaare contents through Markdown parser.
  *   1. Remove HTML generated by Shaarli core.
- *   2. Generate markdown descriptions.
- *   3. Wrap description in 'markdown' CSS class.
+ *   2. Reverse the escape function.
+ *   3. Generate markdown descriptions.
+ *   4. Sanitize sensible HTML tags for security.
+ *   5. Wrap description in 'markdown' CSS class.
  *
  * @param string $description input description text.
  *
@@ -147,11 +167,12 @@ function process_markdown($description)
     $processedDescription = reverse_text2clickable($processedDescription);
     $processedDescription = reverse_nl2br($processedDescription);
     $processedDescription = reverse_space2nbsp($processedDescription);
-    $processedDescription = reset_quote_tags($processedDescription);
+    $processedDescription = unescape($processedDescription);
     $processedDescription = $parsedown
         ->setMarkupEscaped(false)
         ->setBreaksEnabled(true)
         ->text($processedDescription);
+    $processedDescription = sanitize_html($processedDescription);
     $processedDescription = '<div class="markdown">'. $processedDescription . '</div>';
 
     return $processedDescription;
-- 
cgit v1.2.3