mirror/parsedown
1
0
Fork 0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Code Releases Activity

Allow extension to "vouch" for raw HTML they produce

Browse Source 
Rename "unsafeHtml" to "rawHtml"
This commit is contained in:
Aidan Woods 2018-03-15 19:46:03 +00:00
parent ef7ed7b66c
commit 3fc54bc966
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9
4 changed files with 78 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
Parsedown.php
View File

@ -1488,18 +1488,33 @@ class Parsedown
} }
} }
$unsafeHtml = false; $permitRawHtml = false;
if (isset($Element['text'])) if (isset($Element['text']))
{ {
$text = $Element['text']; $text = $Element['text'];
} }
// very strongly consider an alternative if you're writing an // very strongly consider an alternative if you're writing an
// extension // extension
elseif (isset($Element['unsafeHtml'])) elseif (isset($Element['rawHtml']))
{ {
$text = $Element['unsafeHtml']; $text = $Element['rawHtml'];
$unsafeHtml = true; $allowRawHtmlInSafeMode = false;
if (isset($Element['allowRawHtmlInSafeMode']))
{
$allowRawHtmlInSafeMode = (true === $Element['allowRawHtmlInSafeMode']);
}
if ($this->safeMode !== true)
{
$permitRawHtml = true;
}
elseif ($this->safeMode and $allowRawHtmlInSafeMode)
{
$permitRawHtml = true;
}
} }
if (isset($text)) if (isset($text))
@ -1515,7 +1530,7 @@ class Parsedown
{ {
$markup .= $this->{$Element['handler']}($text, $Element['nonNestables']); $markup .= $this->{$Element['handler']}($text, $Element['nonNestables']);
} }
elseif ($unsafeHtml !== true or $this->safeMode) elseif ($permitRawHtml !== true)
{ {
$markup .= self::escape($text, true); $markup .= self::escape($text, true);
} }

21
test/ParsedownTest.php
View File

@ -1,5 +1,5 @@
<?php <?php
require 'UnsafeExtension.php'; require 'SampleExtensions.php';
use PHPUnit\Framework\TestCase; use PHPUnit\Framework\TestCase;
@ -56,7 +56,7 @@ class ParsedownTest extends TestCase
$this->assertEquals($expectedMarkup, $actualMarkup); $this->assertEquals($expectedMarkup, $actualMarkup);
} }
function testUnsafeHtml() function testRawHtml()
{ {
$markdown = "```php\nfoobar\n```"; $markdown = "```php\nfoobar\n```";
$expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>'; $expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
@ -73,6 +73,23 @@ class ParsedownTest extends TestCase
$this->assertEquals($expectedSafeMarkup, $actualSafeMarkup); $this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
} }
function testTrustDelegatedRawHtml()
{
$markdown = "```php\nfoobar\n```";
$expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
$expectedSafeMarkup = $expectedMarkup;
$unsafeExtension = new TrustDelegatedExtension;
$actualMarkup = $unsafeExtension->text($markdown);
$this->assertEquals($expectedMarkup, $actualMarkup);
$unsafeExtension->setSafeMode(true);
$actualSafeMarkup = $unsafeExtension->text($markdown);
$this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
}
function data() function data()
{ {
$data = array(); $data = array();

39
test/SampleExtensions.php Normal file
View File

@ -0,0 +1,39 @@
<?php
class UnsafeExtension extends Parsedown
{
protected function blockFencedCodeComplete($Block)
{
$text = $Block['element']['text']['text'];
unset($Block['element']['text']['text']);
// WARNING: There is almost always a better way of doing things!
//
// This example is one of them, unsafe behaviour is NOT needed here.
// Only use this if you trust the input and have no idea what
// the output HTML will look like (e.g. using an external parser).
$Block['element']['text']['rawHtml'] = "<p>$text</p>";
return $Block;
}
}
class TrustDelegatedExtension extends Parsedown
{
protected function blockFencedCodeComplete($Block)
{
$text = $Block['element']['text']['text'];
unset($Block['element']['text']['text']);
// WARNING: There is almost always a better way of doing things!
//
// This example is one of them, unsafe behaviour is NOT needed here.
// Only use this if you trust the input and have no idea what
// the output HTML will look like (e.g. using an external parser).
$Block['element']['text']['rawHtml'] = "<p>$text</p>";
$Block['element']['text']['allowRawHtmlInSafeMode'] = true;
return $Block;
}
}

19
test/UnsafeExtension.php
View File

@ -1,19 +0,0 @@
<?php
class UnsafeExtension extends Parsedown
{
protected function blockFencedCodeComplete($Block)
{
$text = $Block['element']['text']['text'];
unset($Block['element']['text']['text']);
// WARNING: There is almost always a better way of doing things!
//
// This example is one of them, unsafe behaviour is NOT needed here.
// Only use this if you trust the input and have no idea what
// the output HTML will look like (e.g. using an external parser).
$Block['element']['text']['unsafeHtml'] = "<p>$text</p>";
return $Block;
}
}