Merge pull request #495 from aidantwoods/anti-xss

Prevent various XSS attacks [rebase and update of #276]

.gitattributes

@@ -0,0 +1,5 @@
+# Ignore all tests for archive
+/test               export-ignore
+/.gitattributes     export-ignore
+/.travis.yml        export-ignore
+/phpunit.xml.dist   export-ignore

.travis.yml

@@ -1,10 +1,27 @@
 language: php
 
-php:
-  - 5.6
-  - 5.5
-  - 5.4
-  - 5.3
-  - 5.2
-  - hhvm
-  
+dist: trusty
+sudo: false
+
+matrix:
+  include:
+    - php: 5.3
+      dist: precise
+    - php: 5.4
+    - php: 5.5
+    - php: 5.6
+    - php: 7.0
+    - php: 7.1
+    - php: nightly
+    - php: hhvm
+    - php: hhvm-nightly
+  fast_finish: true
+  allow_failures:
+    - php: nightly
+    - php: hhvm-nightly
+
+before_script:
+  - composer install --prefer-dist --no-interaction --no-progress
+
+script:
+  - vendor/bin/phpunit

LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2013 Emanuil Rusev, erusev.com
+Copyright (c) 2013-2018 Emanuil Rusev, erusev.com
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in
@@ -17,4 +17,4 @@ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
 FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
 COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,18 +1,26 @@
+> I also make [Caret](https://caret.io?ref=parsedown) - a Markdown editor for Mac and PC.
+
 ## Parsedown
 
+[![Build Status](https://img.shields.io/travis/erusev/parsedown/master.svg?style=flat-square)](https://travis-ci.org/erusev/parsedown)
+<!--[![Total Downloads](http://img.shields.io/packagist/dt/erusev/parsedown.svg?style=flat-square)](https://packagist.org/packages/erusev/parsedown)-->
+
 Better Markdown Parser in PHP
 
-[[ demo ]](http://parsedown.org/demo)
+[Demo](http://parsedown.org/demo) |
+[Benchmarks](http://parsedown.org/speed) |
+[Tests](http://parsedown.org/tests/) |
+[Documentation](https://github.com/erusev/parsedown/wiki/)
 
 ### Features
 
-* [Fast](http://parsedown.org/speed)
-* [Consistent](http://parsedown.org/consistency)
-* [GitHub flavored](https://help.github.com/articles/github-flavored-markdown)
-* [Tested](http://parsedown.org/tests/) in PHP 5.2, 5.3, 5.4, 5.5, 5.6 and [hhvm](http://www.hhvm.com/)
+* One File
+* No Dependencies
+* Super Fast
 * Extensible
-* [Markdown Extra extension](https://github.com/erusev/parsedown-extra) <sup>new</sup>
-* [JavaScript port](https://github.com/hkdobrev/parsedown.js) under development <sup>new</sup>
+* [GitHub flavored](https://help.github.com/articles/github-flavored-markdown)
+* Tested in 5.3 to 7.1 and in HHVM
+* [Markdown Extra extension](https://github.com/erusev/parsedown-extra)
 
 ### Installation
 
@@ -26,18 +34,28 @@ $Parsedown = new Parsedown();
 echo $Parsedown->text('Hello _Parsedown_!'); # prints: <p>Hello <em>Parsedown</em>!</p>
 ```
 
-More examples in [the wiki](https://github.com/erusev/parsedown/wiki/Usage) and in [this video tutorial](http://youtu.be/wYZBY8DEikI).
+More examples in [the wiki](https://github.com/erusev/parsedown/wiki/) and in [this video tutorial](http://youtu.be/wYZBY8DEikI).
+
+### Security
+
+Parsedown does not sanitize the HTML that it generates. When you deal with untrusted content (ex: user comments) you should also use a HTML sanitizer like [HTML Purifier](http://htmlpurifier.org/).
 
 ### Questions
 
-**How does Parsedown work?**<br/>
-Parsedown recognises that the Markdown syntax is optimised for humans so it tries to read like one. It goes through text line by line. It looks at how lines start to identify blocks. It looks for special characters to identify inline elements.
+**How does Parsedown work?**
 
-**Why doesn’t Parsedown use namespaces?**<br/>
-Using namespaces would mean dropping support for PHP 5.2. We believe that since Parsedown is a single class with an uncommon name, making this trade wouldn't be worth it.
+It tries to read Markdown like a human. First, it looks at the lines. It’s interested in how the lines start. This helps it recognise blocks. It knows, for example, that if a line starts with a `-` then perhaps it belongs to a list. Once it recognises the blocks, it continues to the content. As it reads, it watches out for special characters. This helps it recognise inline elements (or inlines).
 
-**Is Parsedown compliant with CommonMark?**<br/>
-We are [working on it](https://github.com/erusev/parsedown/tree/commonmark).
+We call this approach "line based". We believe that Parsedown is the first Markdown parser to use it. Since the release of Parsedown, other developers have used the same approach to develop other Markdown parsers in PHP and in other languages.
 
-**Who uses Parsedown?**<br/>
-[phpDocumentor](http://www.phpdoc.org/), [October CMS](http://octobercms.com/), [Bolt CMS](http://bolt.cm/), [RaspberryPi.org](http://www.raspberrypi.org/) and [more](https://www.versioneye.com/php/erusev:parsedown/references).
+**Is it compliant with CommonMark?**
+
+It passes most of the CommonMark tests. Most of the tests that don't pass deal with cases that are quite uncommon. Still, as CommonMark matures, compliance should improve.
+
+**Who uses it?**
+
+[phpDocumentor](http://www.phpdoc.org/), [October CMS](http://octobercms.com/), [Bolt CMS](http://bolt.cm/), [Kirby CMS](http://getkirby.com/), [Grav CMS](http://getgrav.org/), [Statamic CMS](http://www.statamic.com/), [Herbie CMS](http://www.getherbie.org/), [RaspberryPi.org](http://www.raspberrypi.org/), [Symfony demo](https://github.com/symfony/symfony-demo) and [more](https://packagist.org/packages/erusev/parsedown/dependents).
+
+**How can I help?**
+
+Use it, star it, share it and if you feel generous, [donate](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=528P3NZQMP8N2).

composer.json

@@ -12,7 +12,13 @@
             "homepage": "http://erusev.com"
         }
     ],
+    "require": {
+        "php": ">=5.3.0"
+    },
+    "require-dev": {
+        "phpunit/phpunit": "^4.8.35"
+    },
     "autoload": {
         "psr-0": {"Parsedown": ""}
     }
-}
+}

phpunit.xml.dist

@@ -5,4 +5,4 @@
 			<file>test/ParsedownTest.php</file>
 		</testsuite>
 	</testsuites>
-</phpunit>
+</phpunit>

test/CommonMarkTest.php

@@ -0,0 +1,77 @@
+<?php
+
+/**
+ * Test Parsedown against the CommonMark spec.
+ *
+ * Some code based on the original JavaScript test runner by jgm.
+ *
+ * @link http://commonmark.org/ CommonMark
+ * @link http://git.io/8WtRvQ JavaScript test runner
+ */
+
+use PHPUnit\Framework\TestCase;
+
+class CommonMarkTest extends TestCase
+{
+    const SPEC_URL = 'https://raw.githubusercontent.com/jgm/stmd/master/spec.txt';
+
+    /**
+     * @dataProvider data
+     * @param $section
+     * @param $markdown
+     * @param $expectedHtml
+     */
+    function test_($section, $markdown, $expectedHtml)
+    {
+        $Parsedown = new Parsedown();
+        $Parsedown->setUrlsLinked(false);
+
+        $actualHtml = $Parsedown->text($markdown);
+        $actualHtml = $this->normalizeMarkup($actualHtml);
+
+        $this->assertEquals($expectedHtml, $actualHtml);
+    }
+
+    function data()
+    {
+        $spec = file_get_contents(self::SPEC_URL);
+        $spec = strstr($spec, '<!-- END TESTS -->', true);
+
+        $tests = array();
+        $currentSection = '';
+
+        preg_replace_callback(
+            '/^\.\n([\s\S]*?)^\.\n([\s\S]*?)^\.$|^#{1,6} *(.*)$/m',
+            function($matches) use ( & $tests, & $currentSection, & $testCount) {
+                if (isset($matches[3]) and $matches[3]) {
+                    $currentSection = $matches[3];
+                } else {
+                    $testCount++;
+                    $markdown = $matches[1];
+                    $markdown = preg_replace('/→/', "\t", $markdown);
+                    $expectedHtml = $matches[2];
+                    $expectedHtml = $this->normalizeMarkup($expectedHtml);
+                    $tests []= array(
+                        $currentSection, # section
+                        $markdown, # markdown
+                        $expectedHtml, # html
+                    );
+                }
+            },
+            $spec
+        );
+
+        return $tests;
+    }
+
+    private function normalizeMarkup($markup)
+    {
+        $markup = preg_replace("/\n+/", "\n", $markup);
+        $markup = preg_replace('/^\s+/m', '', $markup);
+        $markup = preg_replace('/^((?:<[\w]+>)+)\n/m', '$1', $markup);
+        $markup = preg_replace('/\n((?:<\/[\w]+>)+)$/m', '$1', $markup);
+        $markup = trim($markup);
+
+        return $markup;
+    }
+}

test/ParsedownTest.php

@@ -1,6 +1,8 @@
 <?php
 
-class ParsedownTest extends PHPUnit_Framework_TestCase
+use PHPUnit\Framework\TestCase;
+
+class ParsedownTest extends TestCase
 {
     final function __construct($name = null, array $data = array(), $dataName = '')
     {
@@ -46,6 +48,8 @@ class ParsedownTest extends PHPUnit_Framework_TestCase
         $expectedMarkup = str_replace("\r\n", "\n", $expectedMarkup);
         $expectedMarkup = str_replace("\r", "\n", $expectedMarkup);
 
+        $this->Parsedown->setSafeMode(substr($test, 0, 3) === 'xss');
+
         $actualMarkup = $this->Parsedown->text($markdown);
 
         $this->assertEquals($expectedMarkup, $actualMarkup);
@@ -116,24 +120,44 @@ comment
 MARKDOWN_WITH_MARKUP;
 
         $expectedHtml = <<<EXPECTED_HTML
-<p>&lt;div><em>content</em>&lt;/div></p>
+<p>&lt;div&gt;<em>content</em>&lt;/div&gt;</p>
 <p>sparse:</p>
-<p>&lt;div>
-&lt;div class="inner">
+<p>&lt;div&gt;
+&lt;div class=&quot;inner&quot;&gt;
 <em>content</em>
-&lt;/div>
-&lt;/div></p>
+&lt;/div&gt;
+&lt;/div&gt;</p>
 <p>paragraph</p>
-<p>&lt;style type="text/css"></p>
-<pre><code>p {
-    color: red;
-}</code></pre>
-<p>&lt;/style></p>
+<p>&lt;style type=&quot;text/css&quot;&gt;
+p {
+color: red;
+}
+&lt;/style&gt;</p>
 <p>comment</p>
-<p>&lt;!-- html comment --></p>
+<p>&lt;!-- html comment --&gt;</p>
 EXPECTED_HTML;
         $parsedownWithNoMarkup = new Parsedown();
         $parsedownWithNoMarkup->setMarkupEscaped(true);
         $this->assertEquals($expectedHtml, $parsedownWithNoMarkup->text($markdownWithHtml));
     }
+
+    public function testLateStaticBinding()
+    {
+        include __DIR__ . '/TestParsedown.php';
+
+        $parsedown = Parsedown::instance();
+        $this->assertInstanceOf('Parsedown', $parsedown);
+
+        // After instance is already called on Parsedown
+        // subsequent calls with the same arguments return the same instance
+        $sameParsedown = TestParsedown::instance();
+        $this->assertInstanceOf('Parsedown', $sameParsedown);
+        $this->assertSame($parsedown, $sameParsedown);
+
+        $testParsedown = TestParsedown::instance('test late static binding');
+        $this->assertInstanceOf('TestParsedown', $testParsedown);
+
+        $sameInstanceAgain = TestParsedown::instance('test late static binding');
+        $this->assertSame($testParsedown, $sameInstanceAgain);
+    }
 }

test/TestParsedown.php

@@ -0,0 +1,5 @@
+<?php
+
+class TestParsedown extends Parsedown
+{
+}

test/bootstrap.php

@@ -1,3 +1,3 @@
 <?php
 
-include 'Parsedown.php';
+include 'Parsedown.php';

test/data/aligned_table.html

@@ -1,21 +1,21 @@
 <table>
 <thead>
 <tr>
-<th align="left">header 1</th>
-<th align="center">header 2</th>
-<th align="right">header 2</th>
+<th style="text-align: left;">header 1</th>
+<th style="text-align: center;">header 2</th>
+<th style="text-align: right;">header 2</th>
 </tr>
 </thead>
 <tbody>
 <tr>
-<td align="left">cell 1.1</td>
-<td align="center">cell 1.2</td>
-<td align="right">cell 1.3</td>
+<td style="text-align: left;">cell 1.1</td>
+<td style="text-align: center;">cell 1.2</td>
+<td style="text-align: right;">cell 1.3</td>
 </tr>
 <tr>
-<td align="left">cell 2.1</td>
-<td align="center">cell 2.2</td>
-<td align="right">cell 2.3</td>
+<td style="text-align: left;">cell 2.1</td>
+<td style="text-align: center;">cell 2.2</td>
+<td style="text-align: right;">cell 2.3</td>
 </tr>
 </tbody>
 </table>

test/data/atx_heading.html

@@ -4,6 +4,6 @@
 <h4>h4</h4>
 <h5>h5</h5>
 <h6>h6</h6>
-<h6>h6</h6>
+<p>####### not a heading</p>
 <h1>closed h1</h1>
 <p>#</p>

test/data/atx_heading.md

@@ -10,7 +10,7 @@
 
 ###### h6
 
-####### h6
+####### not a heading
 
 # closed h1 #
 

test/data/block-level_html.html

@@ -1,13 +1,12 @@
 <div>_content_</div>
-<p>sparse:</p>
-<div>
-<div class="inner">
-_content_
-</div>
-</div>
 <p>paragraph</p>
+<div>
+  <div class="inner">
+    _content_
+  </div>
+</div>
 <style type="text/css">
-    p {
-        color: red;
-    }
-</style>
+  p {color: #789;}
+</style>
+<div>
+  <a href="/">home</a></div>

test/data/block-level_html.md

@@ -1,17 +1,16 @@
 <div>_content_</div>
 
-sparse:
-
-<div>
-<div class="inner">
-_content_
-</div>
-</div>
-
 paragraph
 
+<div>
+  <div class="inner">
+    _content_
+  </div>
+</div>
+
 <style type="text/css">
-    p {
-        color: red;
-    }
+  p {color: #789;}
 </style>
+
+<div>
+  <a href="/">home</a></div>

test/data/image_reference.html

@@ -1 +1,2 @@
-<p><img alt="Markdown Logo" src="/md.png" /></p>
+<p><img src="/md.png" alt="Markdown Logo" /></p>
+<p>![missing reference]</p>

test/data/image_reference.md

@@ -1,3 +1,5 @@
 ![Markdown Logo][image]
 
 [image]: /md.png
+
+![missing reference]

test/data/image_title.html

@@ -1 +1,2 @@
-<p><img alt="alt" src="/md.png" title="title" /></p>
+<p><img src="/md.png" alt="alt" title="title" /></p>
+<p><img src="/md.png" alt="blank title" title="" /></p>

test/data/image_title.md

@@ -1 +1,3 @@
-![alt](/md.png "title")
+![alt](/md.png "title")
+
+![blank title](/md.png "")

test/data/inline_link_title.html

@@ -1 +1,6 @@
-<p><a href="http://example.com" title="Title">single quotes</a> and <a href="http://example.com" title="Title">double quotes</a></p>
+<p><a href="http://example.com" title="Title">single quotes</a></p>
+<p><a href="http://example.com" title="Title">double quotes</a></p>
+<p><a href="http://example.com" title="">single quotes blank</a></p>
+<p><a href="http://example.com" title="">double quotes blank</a></p>
+<p><a href="http://example.com" title="2 Words">space</a></p>
+<p><a href="http://example.com/url-(parentheses)" title="Title">parentheses</a></p>

test/data/inline_link_title.md

@@ -1 +1,11 @@
-[single quotes](http://example.com 'Title') and [double quotes](http://example.com "Title")
+[single quotes](http://example.com 'Title')
+
+[double quotes](http://example.com "Title")
+
+[single quotes blank](http://example.com '')
+
+[double quotes blank](http://example.com "")
+
+[space](http://example.com "2 Words")
+
+[parentheses](http://example.com/url-(parentheses) "Title")

test/data/ordered_list.html

@@ -8,6 +8,6 @@
 <li>two</li>
 </ol>
 <p>large numbers:</p>
-<ol>
+<ol start="123">
 <li>one</li>
 </ol>

test/data/simple_table.html

@@ -20,17 +20,17 @@
 <table>
 <thead>
 <tr>
-<th align="left">header 1</th>
+<th style="text-align: left;">header 1</th>
 <th>header 2</th>
 </tr>
 </thead>
 <tbody>
 <tr>
-<td align="left">cell 1.1</td>
+<td style="text-align: left;">cell 1.1</td>
 <td>cell 1.2</td>
 </tr>
 <tr>
-<td align="left">cell 2.1</td>
+<td style="text-align: left;">cell 2.1</td>
 <td>cell 2.2</td>
 </tr>
 </tbody>

test/data/special_characters.html

@@ -1,6 +1,6 @@
 <p>AT&amp;T has an ampersand in their name</p>
 <p>this &amp; that</p>
-<p>4 &lt; 5 and 6 > 5</p>
+<p>4 &lt; 5 and 6 &gt; 5</p>
 <p><a href="http://example.com/autolink?a=1&amp;b=2">http://example.com/autolink?a=1&amp;b=2</a></p>
 <p><a href="/script?a=1&amp;b=2">inline link</a></p>
 <p><a href="http://example.com/?a=1&amp;b=2">reference link</a></p>

test/data/table_inline_markdown.html

@@ -11,8 +11,12 @@
 <td><del>cell</del> 1.2</td>
 </tr>
 <tr>
-<td><code>cell</code> 2.1</td>
-<td>cell 2.2</td>
+<td><code>|</code> 2.1</td>
+<td>| 2.2</td>
+</tr>
+<tr>
+<td><code>\|</code> 2.1</td>
+<td><a href="/">link</a></td>
 </tr>
 </tbody>
 </table>

test/data/table_inline_markdown.md

@@ -1,4 +1,5 @@
 | _header_ 1   | header 2     |
 | ------------ | ------------ |
 | _cell_ 1.1   | ~~cell~~ 1.2 |
-| `cell` 2.1   | cell 2.2     |
+| `|` 2.1      | \| 2.2       |
+| `\|` 2.1     | [link](/)    |

test/data/xss_attribute_encoding.html

@@ -0,0 +1,6 @@
+<p><a href="https://www.example.com&quot;">xss</a></p>
+<p><img src="https://www.example.com&quot;" alt="xss" /></p>
+<p><a href="https://www.example.com&#039;">xss</a></p>
+<p><img src="https://www.example.com&#039;" alt="xss" /></p>
+<p><img src="https://www.example.com" alt="xss&quot;" /></p>
+<p><img src="https://www.example.com" alt="xss&#039;" /></p>

test/data/xss_attribute_encoding.md

@@ -0,0 +1,11 @@
+[xss](https://www.example.com")
+
+![xss](https://www.example.com")
+
+[xss](https://www.example.com')
+
+![xss](https://www.example.com')
+
+![xss"](https://www.example.com)
+
+![xss'](https://www.example.com)

test/data/xss_bad_url.html

@@ -0,0 +1,16 @@
+<p><a href="javascript%3Aalert(1)">xss</a></p>
+<p><a href="javascript%3Aalert(1)">xss</a></p>
+<p><a href="javascript%3A//alert(1)">xss</a></p>
+<p><a href="javascript&amp;colon;alert(1)">xss</a></p>
+<p><img src="javascript%3Aalert(1)" alt="xss" /></p>
+<p><img src="javascript%3Aalert(1)" alt="xss" /></p>
+<p><img src="javascript%3A//alert(1)" alt="xss" /></p>
+<p><img src="javascript&amp;colon;alert(1)" alt="xss" /></p>
+<p><a href="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><a href="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><a href="data%3A//text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><a href="data&amp;colon;text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><img src="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
+<p><img src="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
+<p><img src="data%3A//text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
+<p><img src="data&amp;colon;text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>

test/data/xss_bad_url.md

@@ -0,0 +1,31 @@
+[xss](javascript:alert(1))
+
+[xss]( javascript:alert(1))
+
+[xss](javascript://alert(1))
+
+[xss](javascript:alert(1))
+
+![xss](javascript:alert(1))
+
+![xss]( javascript:alert(1))
+
+![xss](javascript://alert(1))
+
+![xss](javascript:alert(1))
+
+[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+[xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+[xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+![xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+![xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)

test/data/xss_text_encoding.html

@@ -0,0 +1,7 @@
+<p>&lt;script&gt;alert(1)&lt;/script&gt;</p>
+<p>&lt;script&gt;</p>
+<p>alert(1)</p>
+<p>&lt;/script&gt;</p>
+<p>&lt;script&gt;
+alert(1)
+&lt;/script&gt;</p>

test/data/xss_text_encoding.md

@@ -0,0 +1,12 @@
+<script>alert(1)</script>
+
+<script>
+
+alert(1)
+
+</script>
+
+
+<script>
+alert(1)
+</script>