mirror/parsedown
1
0
Fork 0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Code Releases Activity

Add rawHtml without using it (extensions may opt-in)

Browse Source
This commit is contained in:
Aidan Woods 2019-12-30 22:31:43 +00:00
parent 7073ac3ed1
commit add8d18c80
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9
3 changed files with 97 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Parsedown.php
View File

@ -1489,7 +1489,22 @@ class Parsedown
} }
} }
$permitRawHtml = false;
if (isset($Element['text'])) if (isset($Element['text']))
{
$text = $Element['text'];
}
// very strongly consider an alternative if you're writing an
// extension
elseif (isset($Element['rawHtml']))
{
$text = $Element['rawHtml'];
$allowRawHtmlInSafeMode = isset($Element['allowRawHtmlInSafeMode']) && $Element['allowRawHtmlInSafeMode'];
$permitRawHtml = !$this->safeMode || $allowRawHtmlInSafeMode;
}
if (isset($text))
{ {
$markup .= '>'; $markup .= '>';
@ -1500,11 +1515,15 @@ class Parsedown
if (isset($Element['handler'])) if (isset($Element['handler']))
{ {
$markup .= $this->{$Element['handler']}($Element['text'], $Element['nonNestables']); $markup .= $this->{$Element['handler']}($text, $Element['nonNestables']);
}
elseif (!$permitRawHtml)
{
$markup .= self::escape($text, true);
} }
else else
{ {
$markup .= self::escape($Element['text'], true); $markup .= $text;
} }
$markup .= '</'.$Element['name'].'>'; $markup .= '</'.$Element['name'].'>';

36
test/ParsedownTest.php
View File

@ -1,5 +1,7 @@
<?php <?php
require 'SampleExtensions.php';
use PHPUnit\Framework\TestCase; use PHPUnit\Framework\TestCase;
class ParsedownTest extends TestCase class ParsedownTest extends TestCase
@ -55,6 +57,40 @@ class ParsedownTest extends TestCase
$this->assertEquals($expectedMarkup, $actualMarkup); $this->assertEquals($expectedMarkup, $actualMarkup);
} }
function testRawHtml()
{
$markdown = "```php\nfoobar\n```";
$expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
$expectedSafeMarkup = '<pre><code class="language-php">&lt;p&gt;foobar&lt;/p&gt;</code></pre>';
$unsafeExtension = new UnsafeExtension;
$actualMarkup = $unsafeExtension->text($markdown);
$this->assertEquals($expectedMarkup, $actualMarkup);
$unsafeExtension->setSafeMode(true);
$actualSafeMarkup = $unsafeExtension->text($markdown);
$this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
}
function testTrustDelegatedRawHtml()
{
$markdown = "```php\nfoobar\n```";
$expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
$expectedSafeMarkup = $expectedMarkup;
$unsafeExtension = new TrustDelegatedExtension;
$actualMarkup = $unsafeExtension->text($markdown);
$this->assertEquals($expectedMarkup, $actualMarkup);
$unsafeExtension->setSafeMode(true);
$actualSafeMarkup = $unsafeExtension->text($markdown);
$this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
}
function data() function data()
{ {
$data = array(); $data = array();

39
test/SampleExtensions.php Normal file
View File

@ -0,0 +1,39 @@
<?php
class UnsafeExtension extends Parsedown
{
protected function blockFencedCodeComplete($Block)
{
$text = $Block['element']['text']['text'];
unset($Block['element']['text']['text']);
// WARNING: There is almost always a better way of doing things!
//
// This example is one of them, unsafe behaviour is NOT needed here.
// Only use this if you trust the input and have no idea what
// the output HTML will look like (e.g. using an external parser).
$Block['element']['text']['rawHtml'] = "<p>$text</p>";
return $Block;
}
}
class TrustDelegatedExtension extends Parsedown
{
protected function blockFencedCodeComplete($Block)
{
$text = $Block['element']['text']['text'];
unset($Block['element']['text']['text']);
// WARNING: There is almost always a better way of doing things!
//
// This behaviour is NOT needed in the demonstrated case.
// Only use this if you are sure that the result being added into
// rawHtml is safe.
// (e.g. using an external parser with escaping capabilities).
$Block['element']['text']['rawHtml'] = "<p>$text</p>";
$Block['element']['text']['allowRawHtmlInSafeMode'] = true;
return $Block;
}
}