244ea0aaa6
Remove some whitespace
2018-03-27 12:11:00 +01:00
d2a73f9179
Trim whitespace
2018-03-27 11:23:04 +01:00
21cdd8a0b3
Merge branch 'master' into patch-4
2018-03-27 11:13:06 +01:00
cac63f6fcb
Merge pull request #578 from aidantwoods/fix/setext-heading-spaces
...
Fix setext heading space handling
2018-03-25 23:08:31 +01:00
f71bec00f4
Fix space handling in setext headings
2018-03-25 22:50:42 +01:00
d86d839677
Merge branch 'master' into fix/consistency_follow
2018-03-25 19:37:04 +01:00
88dc949890
Refactor based on suggestion by @PhrozenByte
2018-03-18 20:17:12 +00:00
3fc54bc966
Allow extension to "vouch" for raw HTML they produce
...
Rename "unsafeHtml" to "rawHtml"
2018-03-15 19:46:03 +00:00
ef7ed7b66c
Still grab the text if safe mode enabled, but output it escaped
2018-03-15 11:09:55 +00:00
e6444bb57e
Add unsafeHtml option for extensions to use on trusted input
2018-03-15 10:48:38 +00:00
a3265e7c6f
Merge pull request #511 from aidantwoods/feature/null-name-element
...
Allow element to have no name
2018-03-15 09:41:16 +00:00
6830c3339f
Readability
...
Thanks @PhrozenByte for the suggestion :)
2018-03-09 17:38:41 +00:00
19f1bb9353
Disable backtracking where the regex doesn't need it
2018-03-09 17:06:14 +00:00
721b885dd3
Fix #565 by validating email as defined in commonmark spec
2018-03-09 17:05:42 +00:00
9857334186
bump version
2018-03-07 22:04:55 -03:00
ae7e8e5067
bump version
2018-03-07 21:51:35 -03:00
72d30d33bc
allow element to have no name
2018-03-01 01:17:32 +00:00
e941dcc3f0
Merge pull request #525 from aidantwoods/fix/infostring
...
Properly support fenced code block infostring
2018-02-28 17:06:25 +00:00
c192001a7e
Merge pull request #433 from aidantwoods/patch-3
...
Fix Issue #358 – preventing double nested links
2018-02-28 17:05:58 +00:00
5057e505d8
Merge pull request #475 from aidantwoods/loose-lists
...
Loose lists
2018-02-28 17:05:00 +00:00
6678d59be4
Merge pull request #495 from aidantwoods/anti-xss
...
Prevent various XSS attacks [rebase and update of #276 ]
2018-02-28 13:41:37 +02:00
0e1043a8d6
consistent li items for loose list
2018-01-29 14:38:19 +01:00
296ebf0e60
Merge pull request #429 from pablotheissen/patch-1
...
Support html tags containing dashes
2017-11-19 11:15:43 +02:00
4404201175
Properly support fenced code block infostring
...
Reference: http://spec.commonmark.org/0.28/#info-string
2017-08-20 10:28:46 +01:00
6a4afac0d0
remove ability for htmlblock to allow paragraph after if it closes on the same line
2017-06-22 00:02:03 +01:00
67c3efbea0
according to https://tools.ietf.org/html/rfc3986#section-3 the colon is a required part of the syntax, other methods of achieving the colon character (as to browser interpretation) should be taken care of by htmlencoding that is done on all attribute content
2017-05-10 16:57:18 +01:00
bbb7687f31
safeMode will either apply all sanitisation techniques to an element or none (note that encoding HTML entities is done regardless because it speaks to character context, and that the only attributes/elements we should permit are the ones we actually mean to create)
2017-05-09 19:31:36 +01:00
b1e5aebaf6
add single safeMode option that encompasses protection from link destination xss and plain markup based xss into a single on/off switch
2017-05-09 19:22:58 +01:00
c63b690a79
remove duplicates
2017-05-09 14:50:15 +01:00
226f636360
remove $safe flag
2017-05-07 13:45:59 +01:00
2e4afde68d
faster check substr at beginning of string
2017-05-06 16:32:51 +01:00
dc30cb441c
add more protocols to the whitelist
2017-05-05 21:32:27 +01:00
054ba3c487
urlencode urls that are potentially unsafe:
...
this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use)
but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded)
this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript:alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script:alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `:`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.
2017-05-03 17:01:27 +01:00
4bae1c9834
whitelist regex for good attribute (no
...
no chars that could form a delimiter allowed
2017-05-03 00:39:01 +01:00
aee3963e6b
jpeg, not jpg
2017-05-02 19:55:03 +01:00
4dc98b635d
whitelist changes:
...
* add gif and jpg as allowed data images
* ensure that user controlled content fall only in the "data section" of the data URI (and does not intersect content-type definition in any way (best to be safe than sorry ;-)))
"data section" as defined in: https://tools.ietf.org/html/rfc2397#section-3
2017-05-02 19:48:25 +01:00
e4bb12329e
array_keys is probably faster
2017-05-02 01:32:24 +01:00
6d0156d707
dump attributes that contain characters that are impossible for validity, or very unlikely
2017-05-02 00:48:48 +01:00
131ba75851
filter onevent attributes
2017-05-01 15:44:04 +01:00
6bb66db00f
anti-xss
...
protect all attributes and content from xss via element method
filter special attributes (a href, img src)
expand url whitelist slightly to permit data images and mailto links
2017-05-01 03:25:07 +01:00
b3d45c4bb9
Add html escaping to all attributes capable of holding user input.
2017-05-01 02:00:38 +01:00
1d4296f34d
Customizable whitelist of schemas for safeLinks
2017-05-01 01:58:34 +01:00
bf5105cb1a
Improve safeLinks with whitelist.
2017-05-01 01:58:34 +01:00
1140613fc7
Prevent various XSS attacks
2017-05-01 01:58:34 +01:00
d7956e3ade
blockmarkup ends on interrupt by newline (CommonMark compliance)
2017-03-29 18:25:56 +01:00
1bf24f7334
add kbd to text-level elements
2017-03-29 19:04:15 +03:00
7081afe8cb
Removed double semicolon
2017-03-02 12:43:51 +01:00
0172d779d7
Trim surrounding whitespace from URL in inlineLink
...
Fixes https://github.com/erusev/parsedown-extra/issues/103
2017-01-21 11:06:41 +00:00
48351504de
adjust two regex pattern within inlineLink() to reduce backtracking
...
add test with base64 image
2017-01-07 00:45:38 +01:00
a3836b1853
Handle subsequent list items which aren't indented sufficiently
...
Subsequent list items which aren't indented sufficiently are treated as part of the original list, see CommonMark spec example [#256 ](http://spec.commonmark.org/0.26/#example-256 ).
2016-10-13 20:44:02 +02:00
