mirror/parsedown
1
0
Fork 0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Code Releases Activity

Add html escaping to all attributes capable of holding user input.

Browse Source
This commit is contained in:
naNuke 2015-01-26 18:49:17 +01:00 committed by Aidan Woods
parent 1d4296f34d
commit b3d45c4bb9
1 changed files with 12 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Parsedown.php
View File

@ -422,7 +422,7 @@ class Parsedown
if (isset($matches[1])) if (isset($matches[1]))
{ {
$class = 'language-'.$matches[1]; $class = 'language-'.htmlspecialchars($matches[1], ENT_QUOTES, 'UTF-8');
$Element['attributes'] = array( $Element['attributes'] = array(
'class' => $class, 'class' => $class,
@ -1108,7 +1108,7 @@ class Parsedown
{ {
if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<((mailto:)?\S+?@\S+?)>/i', $Excerpt['text'], $matches)) if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<((mailto:)?\S+?@\S+?)>/i', $Excerpt['text'], $matches))
{ {
$url = $matches[1]; $url = htmlspecialchars($matches[1], ENT_QUOTES, 'UTF-8');
if ( ! isset($matches[2])) if ( ! isset($matches[2]))
{ {
@ -1288,12 +1288,12 @@ class Parsedown
} }
} }
$Element['attributes']['href'] = htmlspecialchars($Element['attributes']['href'], ENT_QUOTES); $Element['attributes']['href'] = htmlspecialchars($Element['attributes']['href'], ENT_QUOTES, 'UTF-8');
$Element['text'] = htmlspecialchars($Element['text'], ENT_QUOTES); $Element['text'] = htmlspecialchars($Element['text'], ENT_QUOTES, 'UTF-8');
if ( $Element['attributes']['title'] !== null ) if ( $Element['attributes']['title'] !== null )
{ {
$Element['attributes']['title'] = htmlspecialchars($Element['attributes']['title'], ENT_QUOTES); $Element['attributes']['title'] = htmlspecialchars($Element['attributes']['title'], ENT_QUOTES, 'UTF-8');
} }
return array( return array(
@ -1384,14 +1384,16 @@ class Parsedown
if (preg_match('/\bhttps?:[\/]{2}[^\s<]+\b\/*/ui', $Excerpt['context'], $matches, PREG_OFFSET_CAPTURE)) if (preg_match('/\bhttps?:[\/]{2}[^\s<]+\b\/*/ui', $Excerpt['context'], $matches, PREG_OFFSET_CAPTURE))
{ {
$url = htmlspecialchars($matches[0][0], ENT_QUOTES, 'UTF-8');
$Inline = array( $Inline = array(
'extent' => strlen($matches[0][0]), 'extent' => strlen($matches[0][0]),
'position' => $matches[0][1], 'position' => $matches[0][1],
'element' => array( 'element' => array(
'name' => 'a', 'name' => 'a',
'text' => $matches[0][0], 'text' => $url,
'attributes' => array( 'attributes' => array(
'href' => $matches[0][0], 'href' => $url,
), ),
), ),
); );
@ -1404,7 +1406,7 @@ class Parsedown
{ {
if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<(\w+:\/{2}[^ >]+)>/i', $Excerpt['text'], $matches)) if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<(\w+:\/{2}[^ >]+)>/i', $Excerpt['text'], $matches))
{ {
$url = str_replace(array('&', '<'), array('&amp;', '&lt;'), $matches[1]); $url = htmlspecialchars($matches[1], ENT_QUOTES, 'UTF-8');
return array( return array(
'extent' => strlen($matches[0]), 'extent' => strlen($matches[0]),