e69374af0d
improve readme
2018-01-29 20:52:27 +02:00
722b776684
Test multiple multiline lists
2018-01-29 14:38:19 +01:00
7fd92a8fbd
update tests
2018-01-29 14:38:19 +01:00
0e1043a8d6
consistent li items for loose list
2018-01-29 14:38:19 +01:00
1196ed9512
Merge pull request #548 from m1guelpf-forks/patch-1
...
Update license year
2018-01-01 18:48:54 +02:00
1244122b84
Update LICENSE.txt
2018-01-01 14:09:31 +01:00
d98d60aaf3
Update license year
2017-12-31 22:10:48 +01:00
296ebf0e60
Merge pull request #429 from pablotheissen/patch-1
...
Support html tags containing dashes
2017-11-19 11:15:43 +02:00
a60ba300b1
Merge pull request #540 from jbafford/patch-1
...
Fix typo in README
2017-11-15 10:31:22 +02:00
089789dfff
Fix typo in README
2017-11-14 17:13:31 -05:00
03e1a6ac02
Merge branch 'master' into bugfix/CommonMarkTest
...
Conflicts:
.travis.yml
test/CommonMarkTest.php
test/ParsedownTest.php
test/bootstrap.php
2017-11-14 22:09:25 +01:00
fbe3fe878f
Merge pull request #539 from gabriel-caruso/phpunit
...
Use PHPUnit\Framework\TestCase instead of PHPUnit_Framework_TestCase
2017-11-14 22:44:03 +02:00
09827f542c
Rewrite Travis CI
2017-11-14 15:19:24 -02:00
70ef6f5521
Make Travis CI use installed PHPUnit version, not global one
2017-11-14 13:21:11 -02:00
691e36b1f2
Use PHPUnit\Framework\TestCase instead of PHPUnit_Framework_TestCase
2017-11-11 00:56:03 -02:00
af6affdc2c
improve readme
2017-11-06 16:54:00 +02:00
9cf41f27ab
improve readme
2017-10-22 16:01:34 +03:00
16aadff2ed
improve readme
2017-10-22 16:00:43 +03:00
07c937583d
improve readme
2017-10-22 15:57:58 +03:00
4404201175
Properly support fenced code block infostring
...
Reference: http://spec.commonmark.org/0.28/#info-string
2017-08-20 10:28:46 +01:00
c05ef0c12a
Merge branch 'aidantwoods-htmlblocks' into fix/consistency_follow
2017-06-23 00:00:00 +02:00
47e4163a68
Merge branch 'htmlblocks' of https://github.com/aidantwoods/parsedown into aidantwoods-htmlblocks
2017-06-23 00:00:00 +02:00
c05bff047a
correct test to match CommonMark specified input for output
2017-06-22 00:03:12 +01:00
6a4afac0d0
remove ability for htmlblock to allow paragraph after if it closes on the same line
2017-06-22 00:02:03 +01:00
129f807e32
Inverted checks of consistency for markdown following markups.
2017-06-22 00:00:00 +02:00
be963a6531
Added tests for consistency when a markdown follows a markup without blank line.
2017-06-19 00:00:00 +02:00
728952b90a
Merge pull request #499 from aidantwoods/fix/hhvm
...
Fix hhvm build failure
2017-05-14 17:47:48 +03:00
c82af01bd6
add sudo false
2017-05-14 14:39:09 +01:00
67c3efbea0
according to https://tools.ietf.org/html/rfc3986#section-3 the colon is a required part of the syntax, other methods of achieving the colon character (as to browser interpretation) should be taken care of by htmlencoding that is done on all attribute content
2017-05-10 16:57:18 +01:00
593ffd45a3
Merge pull request #406 from adrilo/patch-1
...
Create .gitattributes
2017-05-10 12:28:53 +03:00
bbb7687f31
safeMode will either apply all sanitisation techniques to an element or none (note that encoding HTML entities is done regardless because it speaks to character context, and that the only attributes/elements we should permit are the ones we actually mean to create)
2017-05-09 19:31:36 +01:00
b1e5aebaf6
add single safeMode option that encompasses protection from link destination xss and plain markup based xss into a single on/off switch
2017-05-09 19:22:58 +01:00
c63b690a79
remove duplicates
2017-05-09 14:50:15 +01:00
226f636360
remove $safe flag
2017-05-07 13:45:59 +01:00
2e4afde68d
faster check substr at beginning of string
2017-05-06 16:32:51 +01:00
dc30cb441c
add more protocols to the whitelist
2017-05-05 21:32:27 +01:00
f76b10aaab
update readme
2017-05-04 10:28:55 +03:00
054ba3c487
urlencode urls that are potentially unsafe:
...
this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use)
but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded)
this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript:alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script:alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `:`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.
2017-05-03 17:01:27 +01:00
4bae1c9834
whitelist regex for good attribute (no
...
no chars that could form a delimiter allowed
2017-05-03 00:39:01 +01:00
aee3963e6b
jpeg, not jpg
2017-05-02 19:55:03 +01:00
4dc98b635d
whitelist changes:
...
* add gif and jpg as allowed data images
* ensure that user controlled content fall only in the "data section" of the data URI (and does not intersect content-type definition in any way (best to be safe than sorry ;-)))
"data section" as defined in: https://tools.ietf.org/html/rfc2397#section-3
2017-05-02 19:48:25 +01:00
e4bb12329e
array_keys is probably faster
2017-05-02 01:32:24 +01:00
6d0156d707
dump attributes that contain characters that are impossible for validity, or very unlikely
2017-05-02 00:48:48 +01:00
29ad172261
Merge pull request #496 from aidantwoods/fix/ditch-hhvm-nightly
...
replace hhvm nightly with nightly
2017-05-01 19:35:36 +03:00
131ba75851
filter onevent attributes
2017-05-01 15:44:04 +01:00
924b26e16c
replace hhvm nightly with nightly
2017-05-01 03:57:07 +01:00
af04ac92e2
add xss tests
2017-05-01 03:33:49 +01:00
6bb66db00f
anti-xss
...
protect all attributes and content from xss via element method
filter special attributes (a href, img src)
expand url whitelist slightly to permit data images and mailto links
2017-05-01 03:25:07 +01:00
b3d45c4bb9
Add html escaping to all attributes capable of holding user input.
2017-05-01 02:00:38 +01:00
1d4296f34d
Customizable whitelist of schemas for safeLinks
2017-05-01 01:58:34 +01:00
