1
0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00

dump attributes that contain characters that are impossible for validity, or very unlikely

This commit is contained in:
Aidan Woods 2017-05-02 00:30:04 +01:00
parent 131ba75851
commit 6d0156d707
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9

View File

@ -1503,7 +1503,8 @@ class Parsedown
protected function sanitiseElement(array $Element)
{
$safeUrlNameToAtt = array(
static $badAttributeChars = "\"'= \t\n\r\0\x0B";
static $safeUrlNameToAtt = array(
'a' => 'href',
'img' => 'src',
);
@ -1514,14 +1515,22 @@ class Parsedown
}
if ( ! empty($Element['attributes']))
{
foreach ($Element['attributes'] as $att => $val)
{
# clear out nulls
$Element['attributes'] = array_filter(
$Element['attributes'],
function ($v) {return $v !== null;}
);
if ($val === null)
{
unset($Element['attributes'][$att]);
}
# filter out badly parsed attribute
elseif (strpbrk($att, $badAttributeChars) !== false)
{
unset($Element['attributes'][$att]);
}
}
$onEventAttributes = preg_grep('/^\s*+on/i', array_flip($Element['attributes']));
$onEventAttributes = preg_grep('/^on/i', array_flip($Element['attributes']));
foreach ($onEventAttributes as $att)
{