mirror/parsedown
1
0
Fork 0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00
Code Releases Activity
696 Commits 5 Branches 82 Tags 2.6 MiB
eb55e426b9
Commit Graph

365 Commits

Author SHA1 Message Date
Aidan Woods
eb55e426b9
Initial refactor to use AST 2018-03-21 02:18:34 +00:00
Aidan Woods
92e426e0e8
Fix merging of adjacent blockquotes 2018-03-28 03:27:09 +01:00
Aidan Woods
d849d64611
Merge pull request #584 from aidantwoods/fix/tables 
Permit 1 column tables with less delimiters
 2018-03-27 23:18:41 +01:00
Aidan Woods
00e51ee424
Permit 1 column tables with less delimiters 2018-03-27 23:12:51 +01:00
Aidan Woods
790aed42ab
Fix trimming of internal #'s 2018-03-27 22:04:11 +01:00
Aidan Woods
ae13290221
Merge pull request #574 from aidantwoods/fix/remove-legacy-escaping 
Remove legacy escaping
 2018-03-27 13:18:30 +01:00
Aidan Woods
244ea0aaa6
Remove some whitespace 2018-03-27 12:11:00 +01:00
Aidan Woods
d2a73f9179
Trim whitespace 2018-03-27 11:23:04 +01:00
Aidan Woods
21cdd8a0b3
Merge branch 'master' into patch-4 2018-03-27 11:13:06 +01:00
Aidan Woods
cac63f6fcb
Merge pull request #578 from aidantwoods/fix/setext-heading-spaces 
Fix setext heading space handling
 2018-03-25 23:08:31 +01:00
Aidan Woods
f71bec00f4
Fix space handling in setext headings 2018-03-25 22:50:42 +01:00
Aidan Woods
1fa6b038af
PHP 5.3 compat 2018-03-25 20:00:31 +01:00
Aidan Woods
e59fbd736d
Remove 'markup' key exception for outputting via AST 2018-03-25 20:00:31 +01:00
Aidan Woods
8c14c5c239
Use rawHtml to provide conditional escaping for markup 2018-03-25 20:00:30 +01:00
Aidan Woods
0205a4cbe6
Use rawHtml to provide conditional escaping on special chars 2018-03-25 19:59:11 +01:00
Aidan Woods
011465bca6
Use rawHtml to provide conditional escaping for specialChars 2018-03-25 19:59:11 +01:00
Aidan Woods
adcba80502
Implement unmarked text via AST 2018-03-25 19:59:11 +01:00
Aidan Woods
65d7bc5013
Special casing for elements with no name 2018-03-25 19:59:11 +01:00
Aidan Woods
d86d839677
Merge branch 'master' into fix/consistency_follow 2018-03-25 19:37:04 +01:00
Aidan Woods
88dc949890
Refactor based on suggestion by @PhrozenByte 2018-03-18 20:17:12 +00:00
Aidan Woods
3fc54bc966
Allow extension to "vouch" for raw HTML they produce 
Rename "unsafeHtml" to "rawHtml"
 2018-03-15 19:46:03 +00:00
Aidan Woods
ef7ed7b66c
Still grab the text if safe mode enabled, but output it escaped 2018-03-15 11:09:55 +00:00
Aidan Woods
e6444bb57e
Add unsafeHtml option for extensions to use on trusted input 2018-03-15 10:48:38 +00:00
Aidan Woods
a3265e7c6f
Merge pull request #511 from aidantwoods/feature/null-name-element 
Allow element to have no name
 2018-03-15 09:41:16 +00:00
Aidan Woods
6830c3339f
Readability 
Thanks @PhrozenByte for the suggestion :)
 2018-03-09 17:38:41 +00:00
Aidan Woods
19f1bb9353
Disable backtracking where the regex doesn't need it 2018-03-09 17:06:14 +00:00
Aidan Woods
721b885dd3
Fix #565 by validating email as defined in commonmark spec 2018-03-09 17:05:42 +00:00
Luiz Paulo "Bills
9857334186
bump version 2018-03-07 22:04:55 -03:00
Luiz Paulo "Bills
ae7e8e5067
bump version 2018-03-07 21:51:35 -03:00
Aidan Woods
72d30d33bc
allow element to have no name 2018-03-01 01:17:32 +00:00
Aidan Woods
e941dcc3f0
Merge pull request #525 from aidantwoods/fix/infostring 
Properly support fenced code block infostring
 2018-02-28 17:06:25 +00:00
Aidan Woods
c192001a7e
Merge pull request #433 from aidantwoods/patch-3 
Fix Issue #358 – preventing double nested links
 2018-02-28 17:05:58 +00:00
Aidan Woods
5057e505d8
Merge pull request #475 from aidantwoods/loose-lists 
Loose lists
 2018-02-28 17:05:00 +00:00
Emanuil Rusev
6678d59be4
Merge pull request #495 from aidantwoods/anti-xss 
Prevent various XSS attacks [rebase and update of #276]
 2018-02-28 13:41:37 +02:00
Aidan Woods
0e1043a8d6
consistent li items for loose list 2018-01-29 14:38:19 +01:00
Emanuil Rusev
296ebf0e60
Merge pull request #429 from pablotheissen/patch-1 
Support html tags containing dashes
 2017-11-19 11:15:43 +02:00
Aidan Woods
4404201175
Properly support fenced code block infostring 
Reference: http://spec.commonmark.org/0.28/#info-string
 2017-08-20 10:28:46 +01:00
Aidan Woods
6a4afac0d0
remove ability for htmlblock to allow paragraph after if it closes on the same line 2017-06-22 00:02:03 +01:00
Aidan Woods
67c3efbea0
according to https://tools.ietf.org/html/rfc3986#section-3 the colon is a required part of the syntax, other methods of achieving the colon character (as to browser interpretation) should be taken care of by htmlencoding that is done on all attribute content 2017-05-10 16:57:18 +01:00
Aidan Woods
bbb7687f31
safeMode will either apply all sanitisation techniques to an element or none (note that encoding HTML entities is done regardless because it speaks to character context, and that the only attributes/elements we should permit are the ones we actually mean to create) 2017-05-09 19:31:36 +01:00
Aidan Woods
b1e5aebaf6
add single safeMode option that encompasses protection from link destination xss and plain markup based xss into a single on/off switch 2017-05-09 19:22:58 +01:00
Aidan Woods
c63b690a79
remove duplicates 2017-05-09 14:50:15 +01:00
Aidan Woods
226f636360
remove $safe flag 2017-05-07 13:45:59 +01:00
Aidan Woods
2e4afde68d
faster check substr at beginning of string 2017-05-06 16:32:51 +01:00
Aidan Woods
dc30cb441c
add more protocols to the whitelist 2017-05-05 21:32:27 +01:00
Aidan Woods
054ba3c487
urlencode urls that are potentially unsafe: 
this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use)
but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded)

this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript:alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script:alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `:`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.
 2017-05-03 17:01:27 +01:00
Aidan Woods
4bae1c9834
whitelist regex for good attribute (no 
no chars that could form a delimiter allowed
 2017-05-03 00:39:01 +01:00
Aidan Woods
aee3963e6b
jpeg, not jpg 2017-05-02 19:55:03 +01:00
Aidan Woods
4dc98b635d
whitelist changes: 
* add gif and jpg as allowed data images
* ensure that user controlled content fall only in the "data section" of the data URI (and does not intersect content-type definition in any way (best to be safe than sorry ;-)))
  "data section" as defined in: https://tools.ietf.org/html/rfc2397#section-3
 2017-05-02 19:48:25 +01:00
Aidan Woods
e4bb12329e
array_keys is probably faster 2017-05-02 01:32:24 +01:00