1
0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00

safeMode will either apply all sanitisation techniques to an element or none (note that encoding HTML entities is done regardless because it speaks to character context, and that the only attributes/elements we should permit are the ones we actually mean to create)

This commit is contained in:
Aidan Woods 2017-05-09 19:31:36 +01:00
parent b1e5aebaf6
commit bbb7687f31
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9

View File

@ -1422,7 +1422,10 @@ class Parsedown
protected function element(array $Element) protected function element(array $Element)
{ {
$Element = $this->sanitiseElement($Element); if ($this->safeMode)
{
$Element = $this->sanitiseElement($Element);
}
$markup = '<'.$Element['name']; $markup = '<'.$Element['name'];
@ -1543,27 +1546,23 @@ class Parsedown
protected function filterUnsafeUrlInAttribute(array $Element, $attribute) protected function filterUnsafeUrlInAttribute(array $Element, $attribute)
{ {
if ($this->safeMode) foreach ($this->safeLinksWhitelist as $scheme)
{ {
foreach ($this->safeLinksWhitelist as $scheme) if (self::striAtStart($Element['attributes'][$attribute], $scheme))
{ {
if (self::striAtStart($Element['attributes'][$attribute], $scheme)) return $Element;
{
return $Element;
}
} }
$Element['attributes'][$attribute] = preg_replace_callback(
'/[^\/#?&=%]++/',
function (array $match)
{
return urlencode($match[0]);
},
$Element['attributes'][$attribute]
);
} }
$Element['attributes'][$attribute] = preg_replace_callback(
'/[^\/#?&=%]++/',
function (array $match)
{
return urlencode($match[0]);
},
$Element['attributes'][$attribute]
);
return $Element; return $Element;
} }