Daniel Berthereau
47e4163a68
Merge branch 'htmlblocks' of https://github.com/aidantwoods/parsedown into aidantwoods-htmlblocks
2017-06-23 00:00:00 +02:00
Aidan Woods
c05bff047a
correct test to match CommonMark specified input for output
2017-06-22 00:03:12 +01:00
Aidan Woods
6a4afac0d0
remove ability for htmlblock to allow paragraph after if it closes on the same line
2017-06-22 00:02:03 +01:00
Daniel Berthereau
129f807e32
Inverted checks of consistency for markdown following markups.
2017-06-22 00:00:00 +02:00
Daniel Berthereau
be963a6531
Added tests for consistency when a markdown follows a markup without blank line.
2017-06-19 00:00:00 +02:00
Emanuil Rusev
728952b90a
Merge pull request #499 from aidantwoods/fix/hhvm
...
Fix hhvm build failure
2017-05-14 17:47:48 +03:00
Aidan Woods
c82af01bd6
add sudo false
2017-05-14 14:39:09 +01:00
Aidan Woods
67c3efbea0
according to https://tools.ietf.org/html/rfc3986#section-3 the colon is a required part of the syntax, other methods of achieving the colon character (as to browser interpretation) should be taken care of by htmlencoding that is done on all attribute content
2017-05-10 16:57:18 +01:00
Emanuil Rusev
593ffd45a3
Merge pull request #406 from adrilo/patch-1
...
Create .gitattributes
2017-05-10 12:28:53 +03:00
Aidan Woods
bbb7687f31
safeMode will either apply all sanitisation techniques to an element or none (note that encoding HTML entities is done regardless because it speaks to character context, and that the only attributes/elements we should permit are the ones we actually mean to create)
2017-05-09 19:31:36 +01:00
Aidan Woods
b1e5aebaf6
add single safeMode option that encompasses protection from link destination xss and plain markup based xss into a single on/off switch
2017-05-09 19:22:58 +01:00
Aidan Woods
c63b690a79
remove duplicates
2017-05-09 14:50:15 +01:00
Aidan Woods
226f636360
remove $safe flag
2017-05-07 13:45:59 +01:00
Aidan Woods
2e4afde68d
faster check substr at beginning of string
2017-05-06 16:32:51 +01:00
Aidan Woods
dc30cb441c
add more protocols to the whitelist
2017-05-05 21:32:27 +01:00
Emanuil Rusev
f76b10aaab
update readme
2017-05-04 10:28:55 +03:00
Aidan Woods
054ba3c487
urlencode urls that are potentially unsafe:
...
this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use)
but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded)
this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript:alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script:alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `:`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.
2017-05-03 17:01:27 +01:00
Aidan Woods
4bae1c9834
whitelist regex for good attribute (no
...
no chars that could form a delimiter allowed
2017-05-03 00:39:01 +01:00
Aidan Woods
aee3963e6b
jpeg, not jpg
2017-05-02 19:55:03 +01:00
Aidan Woods
4dc98b635d
whitelist changes:
...
* add gif and jpg as allowed data images
* ensure that user controlled content fall only in the "data section" of the data URI (and does not intersect content-type definition in any way (best to be safe than sorry ;-)))
"data section" as defined in: https://tools.ietf.org/html/rfc2397#section-3
2017-05-02 19:48:25 +01:00
Aidan Woods
e4bb12329e
array_keys is probably faster
2017-05-02 01:32:24 +01:00
Aidan Woods
6d0156d707
dump attributes that contain characters that are impossible for validity, or very unlikely
2017-05-02 00:48:48 +01:00
Emanuil Rusev
29ad172261
Merge pull request #496 from aidantwoods/fix/ditch-hhvm-nightly
...
replace hhvm nightly with nightly
2017-05-01 19:35:36 +03:00
Aidan Woods
131ba75851
filter onevent attributes
2017-05-01 15:44:04 +01:00
Aidan Woods
924b26e16c
replace hhvm nightly with nightly
2017-05-01 03:57:07 +01:00
Aidan Woods
af04ac92e2
add xss tests
2017-05-01 03:33:49 +01:00
Aidan Woods
6bb66db00f
anti-xss
...
protect all attributes and content from xss via element method
filter special attributes (a href, img src)
expand url whitelist slightly to permit data images and mailto links
2017-05-01 03:25:07 +01:00
naNuke
b3d45c4bb9
Add html escaping to all attributes capable of holding user input.
2017-05-01 02:00:38 +01:00
naNuke
1d4296f34d
Customizable whitelist of schemas for safeLinks
2017-05-01 01:58:34 +01:00
naNuke
bf5105cb1a
Improve safeLinks with whitelist.
2017-05-01 01:58:34 +01:00
naNuke
1140613fc7
Prevent various XSS attacks
2017-05-01 01:58:34 +01:00
Aidan Woods
1d0af35f10
update test to result generated by CommonMark reference parser
2017-03-29 18:26:07 +01:00
Aidan Woods
d7956e3ade
blockmarkup ends on interrupt by newline (CommonMark compliance)
2017-03-29 18:25:56 +01:00
Emanuil Rusev
4367f89a74
attempt to fix failing builds on 5.3
2017-03-29 19:30:24 +03:00
Emanuil Rusev
1bf24f7334
add kbd to text-level elements
2017-03-29 19:04:15 +03:00
Emanuil Rusev
0a09d5ad45
update tests to reflect changes in phpunit 6.0
2017-03-23 20:21:18 +02:00
Emanuil Rusev
3fc442b078
Merge pull request #484 from hkdobrev/patch-1
...
Add Symfony demo to "Who uses it?"
2017-03-10 09:41:24 +02:00
Haralan Dobrev
bd0e31a7dd
Add Symfony demo to "Who uses it?"
...
409a65b373/composer.json (L24)
2017-03-10 01:04:53 +02:00
Emanuil Rusev
dfaf03639a
Merge pull request #480 from pjona/patch-1
...
Removed double semicolon
2017-03-08 23:21:03 +02:00
Marek Skiba
7081afe8cb
Removed double semicolon
2017-03-02 12:43:51 +01:00
Emanuil Rusev
4b6493999a
Merge pull request #465 from aidantwoods/patch-8
...
Trim surrounding whitespace from URL in inlineLink
2017-01-23 09:45:19 +02:00
Aidan Woods
0172d779d7
Trim surrounding whitespace from URL in inlineLink
...
Fixes https://github.com/erusev/parsedown-extra/issues/103
2017-01-21 11:06:41 +00:00
Emanuil Rusev
cc5b38ca39
Merge pull request #459 from gene-sis/fix_inlineLink_regex
...
fix_inlineLink_regex
2017-01-07 16:51:03 +02:00
gene_sis
48351504de
adjust two regex pattern within inlineLink() to reduce backtracking
...
add test with base64 image
2017-01-07 00:45:38 +01:00
Emanuil Rusev
20ff8bbb57
Merge pull request #447 from greut/phpunit-from-extra
...
Fix include from ParsedownTest
2016-11-02 17:56:58 +02:00
Yoan Blanc
bc21988fe5
Fix include from ParsedownTest
...
I wasn't able to run all the tests from ParsedownExtra because of it.
2016-11-02 09:27:35 +01:00
Emanuil Rusev
e3c3e28554
Merge pull request #446 from jamesevickery/master
...
Grammar update
2016-10-25 17:39:55 +03:00
James Vickery
f053740132
Merge pull request #1 from erusev/master
...
Merge pull request #445 from jamesevickery/master
2016-10-25 15:24:11 +01:00
James Vickery
7a92a31739
Grammar update
2016-10-25 15:22:17 +01:00
Emanuil Rusev
6eca8796fb
Merge pull request #445 from jamesevickery/master
...
Tiny grammar correction
2016-10-25 17:21:57 +03:00