From e350aa750f9e9e742bb60a1e04ebd9e21f763c78 Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Sun, 18 Dec 2016 14:27:32 +0100 Subject: Fix typo in markdown plugin meta description --- plugins/markdown/markdown.meta | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins/markdown') diff --git a/plugins/markdown/markdown.meta b/plugins/markdown/markdown.meta index 8df2ed0b..322856ea 100644 --- a/plugins/markdown/markdown.meta +++ b/plugins/markdown/markdown.meta @@ -1,4 +1,4 @@ description="Render shaare description with Markdown syntax.
Warning: -If your shaared descriptions containing HTML tags before enabling the markdown plugin, +If your shaared descriptions contained HTML tags before enabling the markdown plugin, enabling it might break your page. See the README." -- cgit v1.2.3 From 246d72e14344c417e37599b9ed4ce2c324e244f4 Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Sat, 14 Jan 2017 15:57:34 +0100 Subject: Fix markdown plugin color overriding --- plugins/markdown/markdown.css | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins/markdown') diff --git a/plugins/markdown/markdown.css b/plugins/markdown/markdown.css index 6789ce84..ce19cd2a 100644 --- a/plugins/markdown/markdown.css +++ b/plugins/markdown/markdown.css @@ -150,7 +150,7 @@ box-shadow: 0 -1px 0 #e5e5e5,0 0 1px rgba(0,0,0,0.12),0 1px 1px rgba(0,0,0,0.24); } -.md_help { +#pageheader .md_help { color: white; } -- cgit v1.2.3 From e03761011521929a375ebb56f21adacb226a3a8d Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Mon, 27 Feb 2017 19:45:55 +0100 Subject: Add markdown_escape setting This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README --- plugins/markdown/README.md | 27 ++++++++++++++++++++------- plugins/markdown/markdown.php | 29 ++++++++++++++++++----------- 2 files changed, 38 insertions(+), 18 deletions(-) (limited to 'plugins/markdown') diff --git a/plugins/markdown/README.md b/plugins/markdown/README.md index aafcf066..bc9427e2 100644 --- a/plugins/markdown/README.md +++ b/plugins/markdown/README.md @@ -50,9 +50,20 @@ If the tag `nomarkdown` is set for a shaare, it won't be converted to Markdown s > Note: this is a special tag, so it won't be displayed in link list. -### HTML rendering +### HTML escape -Markdown support HTML tags. For example: +By default, HTML tags are escaped. You can enable HTML tags rendering +by setting `security.markdwon_escape` to `false` in `data/config.json.php`: + +```json +{ + "security": { + "markdown_escape": false + } +} +``` + +With this setting, Markdown support HTML tags. For example: > strongstrike @@ -60,12 +71,14 @@ Will render as: > strongstrike -If you want to shaare HTML code, it is necessary to use inline code or code blocks. - -**If your shaared descriptions containing HTML tags before enabling the markdown plugin, -enabling it might break your page.** -> Note: HTML tags such as script, iframe, etc. are disabled for security reasons. +**Warning:** + + * This setting might present **security risks** (XSS) on shared instances, even though tags + such as script, iframe, etc should be disabled. + * If you want to shaare HTML code, it is necessary to use inline code or code blocks. + * If your shaared descriptions contained HTML tags before enabling the markdown plugin, +enabling it might break your page. ### Known issue diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index 0cf6e6e2..de7c823d 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php @@ -14,18 +14,19 @@ define('NO_MD_TAG', 'nomarkdown'); /** * Parse linklist descriptions. * - * @param array $data linklist data. + * @param array $data linklist data. + * @param ConfigManager $conf instance. * * @return mixed linklist data parsed in markdown (and converted to HTML). */ -function hook_markdown_render_linklist($data) +function hook_markdown_render_linklist($data, $conf) { foreach ($data['links'] as &$value) { if (!empty($value['tags']) && noMarkdownTag($value['tags'])) { $value = stripNoMarkdownTag($value); continue; } - $value['description'] = process_markdown($value['description']); + $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); } return $data; } @@ -34,17 +35,18 @@ function hook_markdown_render_linklist($data) * Parse feed linklist descriptions. * * @param array $data linklist data. + * @param ConfigManager $conf instance. * * @return mixed linklist data parsed in markdown (and converted to HTML). */ -function hook_markdown_render_feed($data) +function hook_markdown_render_feed($data, $conf) { foreach ($data['links'] as &$value) { if (!empty($value['tags']) && noMarkdownTag($value['tags'])) { $value = stripNoMarkdownTag($value); continue; } - $value['description'] = process_markdown($value['description']); + $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); } return $data; @@ -53,11 +55,12 @@ function hook_markdown_render_feed($data) /** * Parse daily descriptions. * - * @param array $data daily data. + * @param array $data daily data. + * @param ConfigManager $conf instance. * * @return mixed daily data parsed in markdown (and converted to HTML). */ -function hook_markdown_render_daily($data) +function hook_markdown_render_daily($data, $conf) { // Manipulate columns data foreach ($data['cols'] as &$value) { @@ -66,7 +69,10 @@ function hook_markdown_render_daily($data) $value2 = stripNoMarkdownTag($value2); continue; } - $value2['formatedDescription'] = process_markdown($value2['formatedDescription']); + $value2['formatedDescription'] = process_markdown( + $value2['formatedDescription'], + $conf->get('security.markdown_escape', true) + ); } } @@ -250,7 +256,7 @@ function sanitize_html($description) $description); } $description = preg_replace( - '#(<[^>]+)on[a-z]*="[^"]*"#is', + '#(<[^>]+)on[a-z]*="?[^ "]*"?#is', '$1', $description); return $description; @@ -265,10 +271,11 @@ function sanitize_html($description) * 5. Wrap description in 'markdown' CSS class. * * @param string $description input description text. + * @param bool $escape escape HTML entities * * @return string HTML processed $description. */ -function process_markdown($description) +function process_markdown($description, $escape = true) { $parsedown = new Parsedown(); @@ -278,7 +285,7 @@ function process_markdown($description) $processedDescription = reverse_text2clickable($processedDescription); $processedDescription = unescape($processedDescription); $processedDescription = $parsedown - ->setMarkupEscaped(false) + ->setMarkupEscaped($escape) ->setBreaksEnabled(true) ->text($processedDescription); $processedDescription = sanitize_html($processedDescription); -- cgit v1.2.3 From 86ceea054f5f85157b04473bac5bfb6ff86ca31f Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Thu, 25 May 2017 14:52:42 +0200 Subject: Add a whitelist of protocols for URLs - for Shaare - for markdown description links and images Not whitelisted protocols will be replaced by `http://` --- plugins/markdown/markdown.php | 37 +++++++++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 4 deletions(-) (limited to 'plugins/markdown') diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index de7c823d..772c56e8 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php @@ -26,7 +26,11 @@ function hook_markdown_render_linklist($data, $conf) $value = stripNoMarkdownTag($value); continue; } - $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); + $value['description'] = process_markdown( + $value['description'], + $conf->get('security.markdown_escape', true), + $conf->get('security.allowed_protocols') + ); } return $data; } @@ -46,7 +50,11 @@ function hook_markdown_render_feed($data, $conf) $value = stripNoMarkdownTag($value); continue; } - $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true)); + $value['description'] = process_markdown( + $value['description'], + $conf->get('security.markdown_escape', true), + $conf->get('security.allowed_protocols') + ); } return $data; @@ -71,7 +79,8 @@ function hook_markdown_render_daily($data, $conf) } $value2['formatedDescription'] = process_markdown( $value2['formatedDescription'], - $conf->get('security.markdown_escape', true) + $conf->get('security.markdown_escape', true), + $conf->get('security.allowed_protocols') ); } } @@ -231,6 +240,25 @@ function reverse_space2nbsp($description) return preg_replace('/(^| ) /m', '$1 ', $description); } +/** + * Replace not whitelisted protocols with http:// in given description. + * + * @param string $description input description text. + * @param array $allowedProtocols list of allowed protocols. + * + * @return string $description without malicious link. + */ +function filter_protocols($description, $allowedProtocols) +{ + return preg_replace_callback( + '#]\((.*?)\)#is', + function ($match) use ($allowedProtocols) { + return ']('. whitelist_protocols($match[1], $allowedProtocols) .')'; + }, + $description + ); +} + /** * Remove dangerous HTML tags (tags, iframe, etc.). * Doesn't affect content (already escaped by Parsedown). @@ -275,7 +303,7 @@ function sanitize_html($description) * * @return string HTML processed $description. */ -function process_markdown($description, $escape = true) +function process_markdown($description, $escape = true, $allowedProtocols = []) { $parsedown = new Parsedown(); @@ -283,6 +311,7 @@ function process_markdown($description, $escape = true) $processedDescription = reverse_nl2br($processedDescription); $processedDescription = reverse_space2nbsp($processedDescription); $processedDescription = reverse_text2clickable($processedDescription); + $processedDescription = filter_protocols($processedDescription, $allowedProtocols); $processedDescription = unescape($processedDescription); $processedDescription = $parsedown ->setMarkupEscaped($escape) -- cgit v1.2.3 From 12266213d098a53c5f005b9afcbbe62771fd580c Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Tue, 9 May 2017 18:12:15 +0200 Subject: Shaarli's translation * translation system and unit tests * Translations everywhere Dont use translation merge It is not available with PHP builtin gettext, so it would have lead to inconsistency. --- plugins/markdown/help.html | 6 +++--- plugins/markdown/markdown.php | 21 +++++++++++++++++++-- 2 files changed, 22 insertions(+), 5 deletions(-) (limited to 'plugins/markdown') diff --git a/plugins/markdown/help.html b/plugins/markdown/help.html index 9c4e5ae0..ded3d347 100644 --- a/plugins/markdown/help.html +++ b/plugins/markdown/help.html @@ -1,5 +1,5 @@
- Description will be rendered with - - Markdown syntax. + %s + + %s.
diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php index 772c56e8..1531549d 100644 --- a/plugins/markdown/markdown.php +++ b/plugins/markdown/markdown.php @@ -154,8 +154,13 @@ function hook_markdown_render_includes($data) function hook_markdown_render_editlink($data) { // Load help HTML into a string - $data['edit_link_plugin'][] = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html'); - + $txt = file_get_contents(PluginManager::$PLUGINS_PATH .'/markdown/help.html'); + $translations = [ + t('Description will be rendered with'), + t('Markdown syntax documentation'), + t('Markdown syntax'), + ]; + $data['edit_link_plugin'][] = vsprintf($txt, $translations); // Add no markdown 'meta-tag' in tag list if it was never used, for autocompletion. if (! in_array(NO_MD_TAG, $data['tags'])) { $data['tags'][NO_MD_TAG] = 0; @@ -325,3 +330,15 @@ function process_markdown($description, $escape = true, $allowedProtocols = []) return $processedDescription; } + +/** + * This function is never called, but contains translation calls for GNU gettext extraction. + */ +function markdown_dummy_translation() +{ + // meta + t('Render shaare description with Markdown syntax.
Warning: +If your shaared descriptions contained HTML tags before enabling the markdown plugin, +enabling it might break your page. +See the README.'); +} -- cgit v1.2.3