mirror/parsedown
1
0
Fork 0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Code Releases Activity

dump attributes that contain characters that are impossible for validity, or very unlikely

Browse Source
This commit is contained in:
Aidan Woods 2017-05-02 00:30:04 +01:00
parent 131ba75851
commit 6d0156d707
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9
1 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Parsedown.php
View File

@ -1503,7 +1503,8 @@ class Parsedown
protected function sanitiseElement(array $Element) protected function sanitiseElement(array $Element)
{ {
$safeUrlNameToAtt = array( static $badAttributeChars = "\"'= \t\n\r\0\x0B";
static $safeUrlNameToAtt = array(
'a' => 'href', 'a' => 'href',
'img' => 'src', 'img' => 'src',
); );
@ -1514,14 +1515,22 @@ class Parsedown
} }
if ( ! empty($Element['attributes'])) if ( ! empty($Element['attributes']))
{
foreach ($Element['attributes'] as $att => $val)
{ {
# clear out nulls # clear out nulls
$Element['attributes'] = array_filter( if ($val === null)
$Element['attributes'], {
function ($v) {return $v !== null;} unset($Element['attributes'][$att]);
); }
# filter out badly parsed attribute
elseif (strpbrk($att, $badAttributeChars) !== false)
{
unset($Element['attributes'][$att]);
}
}
$onEventAttributes = preg_grep('/^\s*+on/i', array_flip($Element['attributes'])); $onEventAttributes = preg_grep('/^on/i', array_flip($Element['attributes']));
foreach ($onEventAttributes as $att) foreach ($onEventAttributes as $att)
{ {