Allow extension to "vouch" for raw HTML they produce

Rename "unsafeHtml" to "rawHtml"
2023-08-10 21:13:06 +03:00 · 2018-03-15 19:46:03 +00:00 · 2018-03-15 19:46:03 +00:00 · 3fc54bc966
commit 3fc54bc966
parent ef7ed7b66c
4 changed files with 78 additions and 26 deletions
--- a/Parsedown.php
+++ b/Parsedown.php
@ -1488,18 +1488,33 @@ class Parsedown
            }
        }

-        $unsafeHtml = false;
+        $permitRawHtml = false;
+
        if (isset($Element['text']))
        {
            $text = $Element['text'];
        }
        // very strongly consider an alternative if you're writing an
        // extension
-        elseif (isset($Element['unsafeHtml']))
+        elseif (isset($Element['rawHtml']))
        {
-            $text = $Element['unsafeHtml'];
+            $text = $Element['rawHtml'];

-            $unsafeHtml = true;
+            $allowRawHtmlInSafeMode = false;
+
+            if (isset($Element['allowRawHtmlInSafeMode']))
+            {
+                $allowRawHtmlInSafeMode = (true === $Element['allowRawHtmlInSafeMode']);
+            }
+
+            if ($this->safeMode !== true)
+            {
+                $permitRawHtml = true;
+            }
+            elseif ($this->safeMode and $allowRawHtmlInSafeMode)
+            {
+                $permitRawHtml = true;
+            }
        }

        if (isset($text))
@ -1515,7 +1530,7 @@ class Parsedown
            {
                $markup .= $this->{$Element['handler']}($text, $Element['nonNestables']);
            }
-            elseif ($unsafeHtml !== true or $this->safeMode)
+            elseif ($permitRawHtml !== true)
            {
                $markup .= self::escape($text, true);
            }
--- a/test/ParsedownTest.php
+++ b/test/ParsedownTest.php
@ -1,5 +1,5 @@
 <?php
-require 'UnsafeExtension.php';
+require 'SampleExtensions.php';

 use PHPUnit\Framework\TestCase;

@ -56,7 +56,7 @@ class ParsedownTest extends TestCase
        $this->assertEquals($expectedMarkup, $actualMarkup);
    }

-    function testUnsafeHtml()
+    function testRawHtml()
    {
        $markdown = "```php\nfoobar\n```";
        $expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
@ -73,6 +73,23 @@ class ParsedownTest extends TestCase
        $this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
    }

+    function testTrustDelegatedRawHtml()
+    {
+        $markdown = "```php\nfoobar\n```";
+        $expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
+        $expectedSafeMarkup = $expectedMarkup;
+
+        $unsafeExtension = new TrustDelegatedExtension;
+        $actualMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedMarkup, $actualMarkup);
+
+        $unsafeExtension->setSafeMode(true);
+        $actualSafeMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
+    }
+
    function data()
    {
        $data = array();
--- a/test/SampleExtensions.php
+++ b/test/SampleExtensions.php
@ -0,0 +1,39 @@
+<?php
+
+class UnsafeExtension extends Parsedown
+{
+    protected function blockFencedCodeComplete($Block)
+    {
+        $text = $Block['element']['text']['text'];
+        unset($Block['element']['text']['text']);
+
+        // WARNING: There is almost always a better way of doing things!
+        //
+        // This example is one of them, unsafe behaviour is NOT needed here.
+        // Only use this if you trust the input and have no idea what
+        // the output HTML will look like (e.g. using an external parser).
+        $Block['element']['text']['rawHtml'] = "<p>$text</p>";
+
+        return $Block;
+    }
+}
+
+
+class TrustDelegatedExtension extends Parsedown
+{
+    protected function blockFencedCodeComplete($Block)
+    {
+        $text = $Block['element']['text']['text'];
+        unset($Block['element']['text']['text']);
+
+        // WARNING: There is almost always a better way of doing things!
+        //
+        // This example is one of them, unsafe behaviour is NOT needed here.
+        // Only use this if you trust the input and have no idea what
+        // the output HTML will look like (e.g. using an external parser).
+        $Block['element']['text']['rawHtml'] = "<p>$text</p>";
+        $Block['element']['text']['allowRawHtmlInSafeMode'] = true;
+
+        return $Block;
+    }
+}
--- a/test/UnsafeExtension.php
+++ b/test/UnsafeExtension.php
@ -1,19 +0,0 @@
-<?php
-
-class UnsafeExtension extends Parsedown
-{
-    protected function blockFencedCodeComplete($Block)
-    {
-        $text = $Block['element']['text']['text'];
-        unset($Block['element']['text']['text']);
-
-        // WARNING: There is almost always a better way of doing things!
-        //
-        // This example is one of them, unsafe behaviour is NOT needed here.
-        // Only use this if you trust the input and have no idea what
-        // the output HTML will look like (e.g. using an external parser).
-        $Block['element']['text']['unsafeHtml'] = "<p>$text</p>";
-
-        return $Block;
-    }
-}