mirror/parsedown
1
0
Fork 0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Code Releases Activity

add single safeMode option that encompasses protection from link destination xss and plain markup based xss into a single on/off switch

Browse Source
This commit is contained in:
Aidan Woods 2017-05-09 19:22:58 +01:00
parent c63b690a79
commit b1e5aebaf6
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9
3 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Parsedown.php
View File

@ -75,14 +75,14 @@ class Parsedown
protected $urlsLinked = true;
function setSafeLinksEnabled($safeLinksEnabled)
function setSafeMode($safeMode)
{
$this->safeLinksEnabled = $safeLinksEnabled;
$this->safeMode = (bool) $safeMode;
return $this;
}
protected $safeLinksEnabled = true;
protected $safeMode;
protected $safeLinksWhitelist = array(
'http://',
@ -378,7 +378,7 @@ class Parsedown
protected function blockComment($Line)
{
if ($this->markupEscaped)
if ($this->markupEscaped or $this->safeMode)
{
return;
}
@ -700,7 +700,7 @@ class Parsedown
protected function blockMarkup($Line)
{
if ($this->markupEscaped)
if ($this->markupEscaped or $this->safeMode)
{
return;
}
@ -1282,7 +1282,7 @@ class Parsedown
protected function inlineMarkup($Excerpt)
{
if ($this->markupEscaped or strpos($Excerpt['text'], '>') === false)
if ($this->markupEscaped or $this->safeMode or strpos($Excerpt['text'], '>') === false)
{
return;
}
@ -1543,7 +1543,7 @@ class Parsedown
protected function filterUnsafeUrlInAttribute(array $Element, $attribute)
{
if ($this->safeLinksEnabled)
if ($this->safeMode)
{
foreach ($this->safeLinksWhitelist as $scheme)
{

2
test/ParsedownTest.php
View File

@ -46,7 +46,7 @@ class ParsedownTest extends PHPUnit_Framework_TestCase
$expectedMarkup = str_replace("\r\n", "\n", $expectedMarkup);
$expectedMarkup = str_replace("\r", "\n", $expectedMarkup);
$this->Parsedown->setMarkupEscaped($test === 'xss_text_encoding');
$this->Parsedown->setSafeMode(substr($test, 0, 3) === 'xss');
$actualMarkup = $this->Parsedown->text($markdown);

2
test/data/inline_link.html
View File

@ -1,5 +1,5 @@
<p><a href="http://example.com">link</a></p>
<p><a href="/url-%28parentheses%29">link</a> with parentheses in URL </p>
<p><a href="/url-(parentheses)">link</a> with parentheses in URL </p>
<p>(<a href="/index.php">link</a>) in parentheses</p>
<p><a href="http://example.com"><code>link</code></a></p>
<p><a href="http://example.com"><img src="http://parsedown.org/md.png" alt="MD Logo" /></a></p>