mirror/parsedown
1
0
Fork 0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Code Releases Activity

Prevent various XSS attacks

Browse Source
This commit is contained in:
naNuke 2015-01-21 03:50:36 +01:00 committed by Aidan Woods
parent 4367f89a74
commit 1140613fc7
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Parsedown.php
View File

@ -75,6 +75,15 @@ class Parsedown
protected $urlsLinked = true; protected $urlsLinked = true;
function setSafeLinksEnabled($safeLinksEnabled)
{
$this->safeLinksEnabled = $safeLinksEnabled;
return $this;
}
protected $safeLinksEnabled = true;
# #
# Lines # Lines
# #
@ -1253,7 +1262,13 @@ class Parsedown
$Element['attributes']['title'] = $Definition['title']; $Element['attributes']['title'] = $Definition['title'];
} }
$Element['attributes']['href'] = str_replace(array('&', '<'), array('&amp;', '&lt;'), $Element['attributes']['href']); if ( $this->safeLinksEnabled && stripos($Element['attributes']['href'], 'javascript:') === 0 )
{
return;
}
$Element['attributes']['href'] = htmlspecialchars($Element['attributes']['href']);
$Element['text'] = htmlspecialchars($Element['text']);
return array( return array(
'extent' => $extent, 'extent' => $extent,