From 9ff17ae20effa5d54fd8481c19518123590e3bd0 Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Mon, 27 Feb 2017 19:45:55 +0100 Subject: Add markdown_escape setting This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README --- plugins/markdown/markdown.php | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) (limited to 'plugins/markdown/markdown.php') diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index 0cf6e6e2..de7c823d 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php @@ -14,18 +14,19 @@ define('NO_MD_TAG', 'nomarkdown'); /** * Parse linklist descriptions. * - * @param array $data linklist data. + * @param array $data linklist data. + * @param ConfigManager $conf instance. * * @return mixed linklist data parsed in markdown (and converted to HTML). */ -function hook_markdown_render_linklist($data) +function hook_markdown_render_linklist($data, $conf) { foreach ($data['links'] as &$value) { if (!empty($value['tags']) && noMarkdownTag($value['tags'])) { $value = stripNoMarkdownTag($value); continue; } - $value['description'] = process_markdown($value['description']); + $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); } return $data; } @@ -34,17 +35,18 @@ function hook_markdown_render_linklist($data) * Parse feed linklist descriptions. * * @param array $data linklist data. + * @param ConfigManager $conf instance. * * @return mixed linklist data parsed in markdown (and converted to HTML). */ -function hook_markdown_render_feed($data) +function hook_markdown_render_feed($data, $conf) { foreach ($data['links'] as &$value) { if (!empty($value['tags']) && noMarkdownTag($value['tags'])) { $value = stripNoMarkdownTag($value); continue; } - $value['description'] = process_markdown($value['description']); + $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); } return $data; @@ -53,11 +55,12 @@ function hook_markdown_render_feed($data) /** * Parse daily descriptions. * - * @param array $data daily data. + * @param array $data daily data. + * @param ConfigManager $conf instance. * * @return mixed daily data parsed in markdown (and converted to HTML). */ -function hook_markdown_render_daily($data) +function hook_markdown_render_daily($data, $conf) { // Manipulate columns data foreach ($data['cols'] as &$value) { @@ -66,7 +69,10 @@ function hook_markdown_render_daily($data) $value2 = stripNoMarkdownTag($value2); continue; } - $value2['formatedDescription'] = process_markdown($value2['formatedDescription']); + $value2['formatedDescription'] = process_markdown( + $value2['formatedDescription'], + $conf->get('security.markdown_escape', true) + ); } } @@ -250,7 +256,7 @@ function sanitize_html($description) $description); } $description = preg_replace( - '#(<[^>]+)on[a-z]*="[^"]*"#is', + '#(<[^>]+)on[a-z]*="?[^ "]*"?#is', '$1', $description); return $description; @@ -265,10 +271,11 @@ function sanitize_html($description) * 5. Wrap description in 'markdown' CSS class. * * @param string $description input description text. + * @param bool $escape escape HTML entities * * @return string HTML processed $description. */ -function process_markdown($description) +function process_markdown($description, $escape = true) { $parsedown = new Parsedown(); @@ -278,7 +285,7 @@ function process_markdown($description) $processedDescription = reverse_text2clickable($processedDescription); $processedDescription = unescape($processedDescription); $processedDescription = $parsedown - ->setMarkupEscaped(false) + ->setMarkupEscaped($escape) ->setBreaksEnabled(true) ->text($processedDescription); $processedDescription = sanitize_html($processedDescription); -- cgit v1.2.3