mirror/parsedown
1
0
Fork 0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Code Releases Activity

whitelist regex for good attribute (no

Browse Source 
no chars that could form a delimiter allowed
This commit is contained in:
Aidan Woods 2017-05-03 00:39:01 +01:00
parent aee3963e6b
commit 4bae1c9834
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9
1 changed files with 7 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Parsedown.php
View File

@ -1505,7 +1505,7 @@ class Parsedown
protected function sanitiseElement(array $Element)
{
static $badAttributeChars = "\"'= \t\n\r\0\x0B";
static $goodAttribute = '/^[a-zA-Z0-9][a-zA-Z0-9-_]*+$/';
static $safeUrlNameToAtt = array(
'a' => 'href',
'img' => 'src',
@ -1520,23 +1520,16 @@ class Parsedown
{
foreach ($Element['attributes'] as $att => $val)
{
# clear out nulls
if ($val === null)
{
unset($Element['attributes'][$att]);
}
# filter out badly parsed attribute
elseif (strpbrk($att, $badAttributeChars) !== false)
if ( ! preg_match($goodAttribute, $att))
{
unset($Element['attributes'][$att]);
}
# dump onevent attribute
elseif (preg_match('/^on/i', $att))
{
unset($Element['attributes'][$att]);
}
}
$onEventAttributeKeys = preg_grep('/^on/i', array_keys($Element['attributes']));
foreach ($onEventAttributeKeys as $att)
{
unset($Element['attributes'][$att]);
}
}