1
0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00

add single safeMode option that encompasses protection from link destination xss and plain markup based xss into a single on/off switch

This commit is contained in:
Aidan Woods 2017-05-09 19:22:58 +01:00
parent c63b690a79
commit b1e5aebaf6
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9
3 changed files with 9 additions and 9 deletions

View File

@ -75,14 +75,14 @@ class Parsedown
protected $urlsLinked = true; protected $urlsLinked = true;
function setSafeLinksEnabled($safeLinksEnabled) function setSafeMode($safeMode)
{ {
$this->safeLinksEnabled = $safeLinksEnabled; $this->safeMode = (bool) $safeMode;
return $this; return $this;
} }
protected $safeLinksEnabled = true; protected $safeMode;
protected $safeLinksWhitelist = array( protected $safeLinksWhitelist = array(
'http://', 'http://',
@ -378,7 +378,7 @@ class Parsedown
protected function blockComment($Line) protected function blockComment($Line)
{ {
if ($this->markupEscaped) if ($this->markupEscaped or $this->safeMode)
{ {
return; return;
} }
@ -700,7 +700,7 @@ class Parsedown
protected function blockMarkup($Line) protected function blockMarkup($Line)
{ {
if ($this->markupEscaped) if ($this->markupEscaped or $this->safeMode)
{ {
return; return;
} }
@ -1282,7 +1282,7 @@ class Parsedown
protected function inlineMarkup($Excerpt) protected function inlineMarkup($Excerpt)
{ {
if ($this->markupEscaped or strpos($Excerpt['text'], '>') === false) if ($this->markupEscaped or $this->safeMode or strpos($Excerpt['text'], '>') === false)
{ {
return; return;
} }
@ -1543,7 +1543,7 @@ class Parsedown
protected function filterUnsafeUrlInAttribute(array $Element, $attribute) protected function filterUnsafeUrlInAttribute(array $Element, $attribute)
{ {
if ($this->safeLinksEnabled) if ($this->safeMode)
{ {
foreach ($this->safeLinksWhitelist as $scheme) foreach ($this->safeLinksWhitelist as $scheme)
{ {

View File

@ -46,7 +46,7 @@ class ParsedownTest extends PHPUnit_Framework_TestCase
$expectedMarkup = str_replace("\r\n", "\n", $expectedMarkup); $expectedMarkup = str_replace("\r\n", "\n", $expectedMarkup);
$expectedMarkup = str_replace("\r", "\n", $expectedMarkup); $expectedMarkup = str_replace("\r", "\n", $expectedMarkup);
$this->Parsedown->setMarkupEscaped($test === 'xss_text_encoding'); $this->Parsedown->setSafeMode(substr($test, 0, 3) === 'xss');
$actualMarkup = $this->Parsedown->text($markdown); $actualMarkup = $this->Parsedown->text($markdown);

View File

@ -1,5 +1,5 @@
<p><a href="http://example.com">link</a></p> <p><a href="http://example.com">link</a></p>
<p><a href="/url-%28parentheses%29">link</a> with parentheses in URL </p> <p><a href="/url-(parentheses)">link</a> with parentheses in URL </p>
<p>(<a href="/index.php">link</a>) in parentheses</p> <p>(<a href="/index.php">link</a>) in parentheses</p>
<p><a href="http://example.com"><code>link</code></a></p> <p><a href="http://example.com"><code>link</code></a></p>
<p><a href="http://example.com"><img src="http://parsedown.org/md.png" alt="MD Logo" /></a></p> <p><a href="http://example.com"><img src="http://parsedown.org/md.png" alt="MD Logo" /></a></p>