Merge pull request #491 from ArthurHoaro/markdown-escape2
Markdown: don't escape content + sanitize sensible tags
This commit is contained in:
Arthur
commit
10269bc8c9
3 changed files with 58 additions and 16 deletions
plugins/markdown
|
|
@ -117,23 +117,43 @@ function reverse_space2nbsp($description)
|
|||
}
|
||||
|
||||
/**
|
||||
* Remove '>' at start of line auto generated by Shaarli core system
|
||||
* to allow markdown blockquotes.
|
||||
* Remove dangerous HTML tags (tags, iframe, etc.).
|
||||
* Doesn't affect <code> content (already escaped by Parsedown).
|
||||
*
|
||||
* @param string $description input description text.
|
||||
*
|
||||
* @return string $description without HTML links.
|
||||
* @return string given string escaped.
|
||||
*/
|
||||
function reset_quote_tags($description)
|
||||
function sanitize_html($description)
|
||||
{
|
||||
return preg_replace('/^( *)> /m', '$1> ', $description);
|
||||
$escapeTags = array(
|
||||
'script',
|
||||
'style',
|
||||
'link',
|
||||
'iframe',
|
||||
'frameset',
|
||||
'frame',
|
||||
);
|
||||
foreach ($escapeTags as $tag) {
|
||||
$description = preg_replace_callback(
|
||||
'#<\s*'. $tag .'[^>]*>(.*</\s*'. $tag .'[^>]*>)?#is',
|
||||
function ($match) { return escape($match[0]); },
|
||||
$description);
|
||||
}
|
||||
$description = preg_replace(
|
||||
'#(<[^>]+)on[a-z]*="[^"]*"#is',
|
||||
'$1',
|
||||
$description);
|
||||
return $description;
|
||||
}
|
||||
|
||||
/**
|
||||
* Render shaare contents through Markdown parser.
|
||||
* 1. Remove HTML generated by Shaarli core.
|
||||
* 2. Generate markdown descriptions.
|
||||
* 3. Wrap description in 'markdown' CSS class.
|
||||
* 2. Reverse the escape function.
|
||||
* 3. Generate markdown descriptions.
|
||||
* 4. Sanitize sensible HTML tags for security.
|
||||
* 5. Wrap description in 'markdown' CSS class.
|
||||
*
|
||||
* @param string $description input description text.
|
||||
*
|
||||
|
|
@ -147,11 +167,12 @@ function process_markdown($description)
|
|||
$processedDescription = reverse_text2clickable($processedDescription);
|
||||
$processedDescription = reverse_nl2br($processedDescription);
|
||||
$processedDescription = reverse_space2nbsp($processedDescription);
|
||||
$processedDescription = reset_quote_tags($processedDescription);
|
||||
$processedDescription = unescape($processedDescription);
|
||||
$processedDescription = $parsedown
|
||||
->setMarkupEscaped(false)
|
||||
->setBreaksEnabled(true)
|
||||
->text($processedDescription);
|
||||
$processedDescription = sanitize_html($processedDescription);
|
||||
$processedDescription = '<div class="markdown">'. $processedDescription . '</div>';
|
||||
|
||||
return $processedDescription;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue