From 1328d222680edf2ebdaea5624a7496240bd075f0 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Wed, 8 Mar 2017 20:38:41 +0100 Subject: security: escape HTML entities when using Markdown Adapted from https://github.com/shaarli/Shaarli/pull/785 Signed-off-by: VirtualTam --- plugins/markdown/markdown.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins/markdown/markdown.php') diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index 57fcce32..9d073fbd 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php @@ -218,7 +218,7 @@ function process_markdown($description) $processedDescription = reverse_space2nbsp($processedDescription); $processedDescription = unescape($processedDescription); $processedDescription = $parsedown - ->setMarkupEscaped(false) + ->setMarkupEscaped(true) ->setBreaksEnabled(true) ->text($processedDescription); $processedDescription = sanitize_html($processedDescription); -- cgit v1.2.3