mirror
/
parsedown
mirror of https://github.com/erusev/parsedown.git
1
0
Fork 0
Code Releases Activity

dump attributes that contain characters that are impossible for validity, or very unlikely

This commit is contained in:
Aidan Woods 2017-05-02 00:30:04 +01:00
parent 131ba75851
commit 6d0156d707
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9
1 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Parsedown.php
View File

@ -1503,7 +1503,8 @@ class Parsedown
protected function sanitiseElement(array $Element)
{
$safeUrlNameToAtt = array(
static $badAttributeChars = "\"'= \t\n\r\0\x0B";
static $safeUrlNameToAtt = array(
'a' => 'href',
'img' => 'src',
);
@ -1515,13 +1516,21 @@ class Parsedown
if ( ! empty($Element['attributes']))
{
# clear out nulls
$Element['attributes'] = array_filter(
$Element['attributes'],
function ($v) {return $v !== null;}
);
foreach ($Element['attributes'] as $att => $val)
{
# clear out nulls
if ($val === null)
{
unset($Element['attributes'][$att]);
}
# filter out badly parsed attribute
elseif (strpbrk($att, $badAttributeChars) !== false)
{
unset($Element['attributes'][$att]);
}
}
$onEventAttributes = preg_grep('/^\s*+on/i', array_flip($Element['attributes']));
$onEventAttributes = preg_grep('/^on/i', array_flip($Element['attributes']));
foreach ($onEventAttributes as $att)
{