From 1328d222680edf2ebdaea5624a7496240bd075f0 Mon Sep 17 00:00:00 2001
From: VirtualTam <virtualtam@flibidi.net>
Date: Wed, 8 Mar 2017 20:38:41 +0100
Subject: security: escape HTML entities when using Markdown

Adapted from https://github.com/shaarli/Shaarli/pull/785

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
---
 plugins/markdown/markdown.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'plugins')

diff --git a/plugins/markdown/markdown.php b/plugins/markdown/markdown.php
index 57fcce32..9d073fbd 100644
--- a/plugins/markdown/markdown.php
+++ b/plugins/markdown/markdown.php
@@ -218,7 +218,7 @@ function process_markdown($description)
     $processedDescription = reverse_space2nbsp($processedDescription);
     $processedDescription = unescape($processedDescription);
     $processedDescription = $parsedown
-        ->setMarkupEscaped(false)
+        ->setMarkupEscaped(true)
         ->setBreaksEnabled(true)
         ->text($processedDescription);
     $processedDescription = sanitize_html($processedDescription);
-- 
cgit v1.2.3