Add html escaping to all attributes capable of holding user input.

2015-01-26 18:49:17 +01:00 · 2015-01-26 18:49:17 +01:00 · b3d45c4bb9
parent 1d4296f34d
commit b3d45c4bb9
1 changed files with 12 additions and 10 deletions
--- a/Parsedown.php
+++ b/Parsedown.php
@ -422,7 +422,7 @@ class Parsedown

            if (isset($matches[1]))
            {
-                $class = 'language-'.$matches[1];
+                $class = 'language-'.htmlspecialchars($matches[1], ENT_QUOTES, 'UTF-8');

                $Element['attributes'] = array(
                    'class' => $class,
@ -532,10 +532,10 @@ class Parsedown
                ),
            );

-            if($name === 'ol') 
+            if($name === 'ol')
            {
                $listStart = stristr($matches[0], '.', true);
-                
+
                if($listStart !== '1')
                {
                    $Block['element']['attributes'] = array('start' => $listStart);
@ -1108,7 +1108,7 @@ class Parsedown
    {
        if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<((mailto:)?\S+?@\S+?)>/i', $Excerpt['text'], $matches))
        {
-            $url = $matches[1];
+            $url = htmlspecialchars($matches[1], ENT_QUOTES, 'UTF-8');

            if ( ! isset($matches[2]))
            {
@ -1288,12 +1288,12 @@ class Parsedown
            }
        }

-        $Element['attributes']['href'] = htmlspecialchars($Element['attributes']['href'], ENT_QUOTES);
-        $Element['text'] = htmlspecialchars($Element['text'], ENT_QUOTES);
+        $Element['attributes']['href'] = htmlspecialchars($Element['attributes']['href'], ENT_QUOTES, 'UTF-8');
+        $Element['text'] = htmlspecialchars($Element['text'], ENT_QUOTES, 'UTF-8');

        if ( $Element['attributes']['title'] !== null )
        {
-            $Element['attributes']['title'] = htmlspecialchars($Element['attributes']['title'], ENT_QUOTES);
+            $Element['attributes']['title'] = htmlspecialchars($Element['attributes']['title'], ENT_QUOTES, 'UTF-8');
        }

        return array(
@ -1384,14 +1384,16 @@ class Parsedown

        if (preg_match('/\bhttps?:[\/]{2}[^\s<]+\b\/*/ui', $Excerpt['context'], $matches, PREG_OFFSET_CAPTURE))
        {
+            $url = htmlspecialchars($matches[0][0], ENT_QUOTES, 'UTF-8');
+
            $Inline = array(
                'extent' => strlen($matches[0][0]),
                'position' => $matches[0][1],
                'element' => array(
                    'name' => 'a',
-                    'text' => $matches[0][0],
+                    'text' => $url,
                    'attributes' => array(
-                        'href' => $matches[0][0],
+                        'href' => $url,
                    ),
                ),
            );
@ -1404,7 +1406,7 @@ class Parsedown
    {
        if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<(\w+:\/{2}[^ >]+)>/i', $Excerpt['text'], $matches))
        {
-            $url = str_replace(array('&', '<'), array('&amp;', '&lt;'), $matches[1]);
+            $url = htmlspecialchars($matches[1], ENT_QUOTES, 'UTF-8');

            return array(
                'extent' => strlen($matches[0]),