mirror
/
parsedown
mirror of https://github.com/erusev/parsedown.git
1
0
Fork 0
Code Releases Activity

Prevent various XSS attacks

This commit is contained in:
naNuke 2015-01-21 03:50:36 +01:00 committed by Aidan Woods
parent 4367f89a74
commit 1140613fc7
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Parsedown.php
View File

@ -75,6 +75,15 @@ class Parsedown
protected $urlsLinked = true;
function setSafeLinksEnabled($safeLinksEnabled)
{
$this->safeLinksEnabled = $safeLinksEnabled;
return $this;
}
protected $safeLinksEnabled = true;
#
# Lines
#
@ -1253,7 +1262,13 @@ class Parsedown
$Element['attributes']['title'] = $Definition['title'];
}
$Element['attributes']['href'] = str_replace(array('&', '<'), array('&amp;', '&lt;'), $Element['attributes']['href']);
if ( $this->safeLinksEnabled && stripos($Element['attributes']['href'], 'javascript:') === 0 )
{
return;
}
$Element['attributes']['href'] = htmlspecialchars($Element['attributes']['href']);
$Element['text'] = htmlspecialchars($Element['text']);
return array(
'extent' => $extent,