safeMode will either apply all sanitisation techniques to an element or none (note that encoding HTML entities is done regardless because it speaks to character context, and that the only attributes/elements we should permit are the ones we actually mean to create)

2023-08-10 21:13:06 +03:00 · 2017-05-09 19:31:36 +01:00 · 2017-05-09 19:31:36 +01:00 · bbb7687f31
commit bbb7687f31
parent b1e5aebaf6
1 changed files with 16 additions and 17 deletions
--- a/Parsedown.php
+++ b/Parsedown.php
@ -1422,7 +1422,10 @@ class Parsedown

    protected function element(array $Element)
    {
-        $Element = $this->sanitiseElement($Element);
+        if ($this->safeMode)
+        {
+            $Element = $this->sanitiseElement($Element);
+        }

        $markup = '<'.$Element['name'];

@ -1543,27 +1546,23 @@ class Parsedown

    protected function filterUnsafeUrlInAttribute(array $Element, $attribute)
    {
-        if ($this->safeMode)
+        foreach ($this->safeLinksWhitelist as $scheme)
        {
-            foreach ($this->safeLinksWhitelist as $scheme)
+            if (self::striAtStart($Element['attributes'][$attribute], $scheme))
            {
-                if (self::striAtStart($Element['attributes'][$attribute], $scheme))
-                {
-                    return $Element;
-                }
+                return $Element;
            }
-
-            $Element['attributes'][$attribute] = preg_replace_callback(
-                '/[^\/#?&=%]++/',
-                function (array $match)
-                {
-                    return urlencode($match[0]);
-                },
-                $Element['attributes'][$attribute]
-            );
-
        }

+        $Element['attributes'][$attribute] = preg_replace_callback(
+            '/[^\/#?&=%]++/',
+            function (array $match)
+            {
+                return urlencode($match[0]);
+            },
+            $Element['attributes'][$attribute]
+        );
+
        return $Element;
    }