mirror of
https://github.com/erusev/parsedown.git
synced 2023-08-10 21:13:06 +03:00
Add html escaping to all attributes capable of holding user input.
This commit is contained in:
parent
1d4296f34d
commit
b3d45c4bb9
@ -422,7 +422,7 @@ class Parsedown
|
||||
|
||||
if (isset($matches[1]))
|
||||
{
|
||||
$class = 'language-'.$matches[1];
|
||||
$class = 'language-'.htmlspecialchars($matches[1], ENT_QUOTES, 'UTF-8');
|
||||
|
||||
$Element['attributes'] = array(
|
||||
'class' => $class,
|
||||
@ -532,10 +532,10 @@ class Parsedown
|
||||
),
|
||||
);
|
||||
|
||||
if($name === 'ol')
|
||||
if($name === 'ol')
|
||||
{
|
||||
$listStart = stristr($matches[0], '.', true);
|
||||
|
||||
|
||||
if($listStart !== '1')
|
||||
{
|
||||
$Block['element']['attributes'] = array('start' => $listStart);
|
||||
@ -1108,7 +1108,7 @@ class Parsedown
|
||||
{
|
||||
if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<((mailto:)?\S+?@\S+?)>/i', $Excerpt['text'], $matches))
|
||||
{
|
||||
$url = $matches[1];
|
||||
$url = htmlspecialchars($matches[1], ENT_QUOTES, 'UTF-8');
|
||||
|
||||
if ( ! isset($matches[2]))
|
||||
{
|
||||
@ -1288,12 +1288,12 @@ class Parsedown
|
||||
}
|
||||
}
|
||||
|
||||
$Element['attributes']['href'] = htmlspecialchars($Element['attributes']['href'], ENT_QUOTES);
|
||||
$Element['text'] = htmlspecialchars($Element['text'], ENT_QUOTES);
|
||||
$Element['attributes']['href'] = htmlspecialchars($Element['attributes']['href'], ENT_QUOTES, 'UTF-8');
|
||||
$Element['text'] = htmlspecialchars($Element['text'], ENT_QUOTES, 'UTF-8');
|
||||
|
||||
if ( $Element['attributes']['title'] !== null )
|
||||
{
|
||||
$Element['attributes']['title'] = htmlspecialchars($Element['attributes']['title'], ENT_QUOTES);
|
||||
$Element['attributes']['title'] = htmlspecialchars($Element['attributes']['title'], ENT_QUOTES, 'UTF-8');
|
||||
}
|
||||
|
||||
return array(
|
||||
@ -1384,14 +1384,16 @@ class Parsedown
|
||||
|
||||
if (preg_match('/\bhttps?:[\/]{2}[^\s<]+\b\/*/ui', $Excerpt['context'], $matches, PREG_OFFSET_CAPTURE))
|
||||
{
|
||||
$url = htmlspecialchars($matches[0][0], ENT_QUOTES, 'UTF-8');
|
||||
|
||||
$Inline = array(
|
||||
'extent' => strlen($matches[0][0]),
|
||||
'position' => $matches[0][1],
|
||||
'element' => array(
|
||||
'name' => 'a',
|
||||
'text' => $matches[0][0],
|
||||
'text' => $url,
|
||||
'attributes' => array(
|
||||
'href' => $matches[0][0],
|
||||
'href' => $url,
|
||||
),
|
||||
),
|
||||
);
|
||||
@ -1404,7 +1406,7 @@ class Parsedown
|
||||
{
|
||||
if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<(\w+:\/{2}[^ >]+)>/i', $Excerpt['text'], $matches))
|
||||
{
|
||||
$url = str_replace(array('&', '<'), array('&', '<'), $matches[1]);
|
||||
$url = htmlspecialchars($matches[1], ENT_QUOTES, 'UTF-8');
|
||||
|
||||
return array(
|
||||
'extent' => strlen($matches[0]),
|
||||
|
Loading…
Reference in New Issue
Block a user