Bump version

[1.7.x] Fix spaces in class names

.gitattributes

@@ -0,0 +1,5 @@
+# Ignore all tests for archive
+/test               export-ignore
+/.gitattributes     export-ignore
+/.travis.yml        export-ignore
+/phpunit.xml.dist   export-ignore

.travis.yml

@@ -1,8 +1,28 @@
 language: php
 
-php:
-  - 5.6
-  - 5.5
-  - 5.4
-  - 5.3
-  - hhvm
+dist: trusty
+sudo: false
+
+matrix:
+  include:
+    - php: 5.3
+      dist: precise
+    - php: 5.4
+    - php: 5.5
+    - php: 5.6
+    - php: 7.0
+    - php: 7.1
+    - php: 7.2
+    - php: 7.3
+    - php: nightly
+  fast_finish: true
+  allow_failures:
+    - php: nightly
+
+install:
+  - composer install --prefer-dist --no-interaction --no-progress
+
+script:
+  - vendor/bin/phpunit
+  - vendor/bin/phpunit test/CommonMarkTestWeak.php || true
+  - '[ -z "$TRAVIS_TAG" ] || [ "$TRAVIS_TAG" == "$(php -r "require(\"Parsedown.php\"); echo Parsedown::version;")" ]'

LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2013 Emanuil Rusev, erusev.com
+Copyright (c) 2013-2018 Emanuil Rusev, erusev.com
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in
@@ -17,4 +17,4 @@ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
 FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
 COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Parsedown.php

@@ -17,7 +17,7 @@ class Parsedown
 {
     # ~
 
-    const version = '1.5.1';
+    const version = '1.7.2';
 
     # ~
 
@@ -75,6 +75,32 @@ class Parsedown
 
     protected $urlsLinked = true;
 
+    function setSafeMode($safeMode)
+    {
+        $this->safeMode = (bool) $safeMode;
+
+        return $this;
+    }
+
+    protected $safeMode;
+
+    protected $safeLinksWhitelist = array(
+        'http://',
+        'https://',
+        'ftp://',
+        'ftps://',
+        'mailto:',
+        'data:image/png;base64,',
+        'data:image/gif;base64,',
+        'data:image/jpeg;base64,',
+        'irc:',
+        'ircs:',
+        'git:',
+        'ssh:',
+        'news:',
+        'steam:',
+    );
+
     #
     # Lines
     #
@@ -107,12 +133,6 @@ class Parsedown
 
     # ~
 
-    protected $DefinitionTypes = array(
-        '[' => array('Reference'),
-    );
-
-    # ~
-
     protected $unmarkedBlockTypes = array(
         'Code',
     );
@@ -121,7 +141,7 @@ class Parsedown
     # Blocks
     #
 
-    private function lines(array $lines)
+    protected function lines(array $lines)
     {
         $CurrentBlock = null;
 
@@ -169,7 +189,7 @@ class Parsedown
 
             # ~
 
-            if (isset($CurrentBlock['incomplete']))
+            if (isset($CurrentBlock['continuable']))
             {
                 $Block = $this->{'block'.$CurrentBlock['type'].'Continue'}($Line, $CurrentBlock);
 
@@ -181,12 +201,10 @@ class Parsedown
                 }
                 else
                 {
-                    if (method_exists($this, 'block'.$CurrentBlock['type'].'Complete'))
+                    if ($this->isBlockCompletable($CurrentBlock['type']))
                     {
                         $CurrentBlock = $this->{'block'.$CurrentBlock['type'].'Complete'}($CurrentBlock);
                     }
-
-                    unset($CurrentBlock['incomplete']);
                 }
             }
 
@@ -224,9 +242,9 @@ class Parsedown
                         $Block['identified'] = true;
                     }
 
-                    if (method_exists($this, 'block'.$blockType.'Continue'))
+                    if ($this->isBlockContinuable($blockType))
                     {
-                        $Block['incomplete'] = true;
+                        $Block['continuable'] = true;
                     }
 
                     $CurrentBlock = $Block;
@@ -253,7 +271,7 @@ class Parsedown
 
         # ~
 
-        if (isset($CurrentBlock['incomplete']) and method_exists($this, 'block'.$CurrentBlock['type'].'Complete'))
+        if (isset($CurrentBlock['continuable']) and $this->isBlockCompletable($CurrentBlock['type']))
         {
             $CurrentBlock = $this->{'block'.$CurrentBlock['type'].'Complete'}($CurrentBlock);
         }
@@ -286,6 +304,16 @@ class Parsedown
         return $markup;
     }
 
+    protected function isBlockContinuable($Type)
+    {
+        return method_exists($this, 'block'.$Type.'Continue');
+    }
+
+    protected function isBlockCompletable($Type)
+    {
+        return method_exists($this, 'block'.$Type.'Complete');
+    }
+
     #
     # Code
 
@@ -340,8 +368,6 @@ class Parsedown
     {
         $text = $Block['element']['text']['text'];
 
-        $text = htmlspecialchars($text, ENT_NOQUOTES, 'UTF-8');
-
         $Block['element']['text']['text'] = $text;
 
         return $Block;
@@ -352,7 +378,7 @@ class Parsedown
 
     protected function blockComment($Line)
     {
-        if ($this->markupEscaped)
+        if ($this->markupEscaped or $this->safeMode)
         {
             return;
         }
@@ -394,16 +420,30 @@ class Parsedown
 
     protected function blockFencedCode($Line)
     {
-        if (preg_match('/^(['.$Line['text'][0].']{3,})[ ]*([\w-]+)?[ ]*$/', $Line['text'], $matches))
+        if (preg_match('/^['.$Line['text'][0].']{3,}[ ]*([^`]+)?[ ]*$/', $Line['text'], $matches))
         {
             $Element = array(
                 'name' => 'code',
                 'text' => '',
             );
 
-            if (isset($matches[2]))
+            if (isset($matches[1]))
             {
-                $class = 'language-'.$matches[2];
+                /**
+                 * https://www.w3.org/TR/2011/WD-html5-20110525/elements.html#classes
+                 * Every HTML element may have a class attribute specified.
+                 * The attribute, if specified, must have a value that is a set
+                 * of space-separated tokens representing the various classes
+                 * that the element belongs to.
+                 * [...]
+                 * The space characters, for the purposes of this specification,
+                 * are U+0020 SPACE, U+0009 CHARACTER TABULATION (tab),
+                 * U+000A LINE FEED (LF), U+000C FORM FEED (FF), and
+                 * U+000D CARRIAGE RETURN (CR).
+                 */
+                $language = substr($matches[1], 0, strcspn($matches[1], " \t\n\f\r"));
+
+                $class = 'language-'.$language;
 
                 $Element['attributes'] = array(
                     'class' => $class,
@@ -446,7 +486,7 @@ class Parsedown
             return $Block;
         }
 
-        $Block['element']['text']['text'] .= "\n".$Line['body'];;
+        $Block['element']['text']['text'] .= "\n".$Line['body'];
 
         return $Block;
     }
@@ -455,8 +495,6 @@ class Parsedown
     {
         $text = $Block['element']['text']['text'];
 
-        $text = htmlspecialchars($text, ENT_NOQUOTES, 'UTF-8');
-
         $Block['element']['text']['text'] = $text;
 
         return $Block;
@@ -513,6 +551,16 @@ class Parsedown
                 ),
             );
 
+            if($name === 'ol')
+            {
+                $listStart = stristr($matches[0], '.', true);
+
+                if($listStart !== '1')
+                {
+                    $Block['element']['attributes'] = array('start' => $listStart);
+                }
+            }
+
             $Block['li'] = array(
                 'name' => 'li',
                 'handler' => 'li',
@@ -535,6 +583,8 @@ class Parsedown
             {
                 $Block['li']['text'] []= '';
 
+                $Block['loose'] = true;
+
                 unset($Block['interrupted']);
             }
 
@@ -583,6 +633,22 @@ class Parsedown
         }
     }
 
+    protected function blockListComplete(array $Block)
+    {
+        if (isset($Block['loose']))
+        {
+            foreach ($Block['element']['text'] as &$li)
+            {
+                if (end($li['text']) !== '')
+                {
+                    $li['text'] []= '';
+                }
+            }
+        }
+
+        return $Block;
+    }
+
     #
     # Quote
 
@@ -666,14 +732,16 @@ class Parsedown
 
     protected function blockMarkup($Line)
     {
-        if ($this->markupEscaped)
+        if ($this->markupEscaped or $this->safeMode)
         {
             return;
         }
 
-        if (preg_match('/^<(\w*)(?:[ ]*'.$this->regexHtmlAttribute.')*[ ]*(\/)?>/', $Line['text'], $matches))
+        if (preg_match('/^<(\w[\w-]*)(?:[ ]*'.$this->regexHtmlAttribute.')*[ ]*(\/)?>/', $Line['text'], $matches))
         {
-            if (in_array($matches[1], $this->textLevelElements))
+            $element = strtolower($matches[1]);
+
+            if (in_array($element, $this->textLevelElements))
             {
                 return;
             }
@@ -983,24 +1051,29 @@ class Parsedown
     # ~
     #
 
-    public function line($text)
+    public function line($text, $nonNestables=array())
     {
         $markup = '';
 
-        $unexaminedText = $text;
+        # $excerpt is based on the first occurrence of a marker
 
-        $markerPosition = 0;
-
-        while ($excerpt = strpbrk($unexaminedText, $this->inlineMarkerList))
+        while ($excerpt = strpbrk($text, $this->inlineMarkerList))
         {
             $marker = $excerpt[0];
 
-            $markerPosition += strpos($unexaminedText, $marker);
+            $markerPosition = strpos($text, $marker);
 
             $Excerpt = array('text' => $excerpt, 'context' => $text);
 
             foreach ($this->InlineTypes[$marker] as $inlineType)
             {
+                # check to see if the current inline type is nestable in the current context
+
+                if ( ! empty($nonNestables) and in_array($inlineType, $nonNestables))
+                {
+                    continue;
+                }
+
                 $Inline = $this->{'inline'.$inlineType}($Excerpt);
 
                 if ( ! isset($Inline))
@@ -1008,34 +1081,49 @@ class Parsedown
                     continue;
                 }
 
-                if (isset($Inline['position']) and $Inline['position'] > $markerPosition) # position is ahead of marker
+                # makes sure that the inline belongs to "our" marker
+
+                if (isset($Inline['position']) and $Inline['position'] > $markerPosition)
                 {
                     continue;
                 }
 
+                # sets a default inline position
+
                 if ( ! isset($Inline['position']))
                 {
                     $Inline['position'] = $markerPosition;
                 }
 
+                # cause the new element to 'inherit' our non nestables
+
+                foreach ($nonNestables as $non_nestable)
+                {
+                    $Inline['element']['nonNestables'][] = $non_nestable;
+                }
+
+                # the text that comes before the inline
                 $unmarkedText = substr($text, 0, $Inline['position']);
 
+                # compile the unmarked text
                 $markup .= $this->unmarkedText($unmarkedText);
 
+                # compile the inline
                 $markup .= isset($Inline['markup']) ? $Inline['markup'] : $this->element($Inline['element']);
 
+                # remove the examined text
                 $text = substr($text, $Inline['position'] + $Inline['extent']);
 
-                $unexaminedText = $text;
-
-                $markerPosition = 0;
-
                 continue 2;
             }
 
-            $unexaminedText = substr($excerpt, 1);
+            # the marker does not belong to an inline
 
-            $markerPosition ++;
+            $unmarkedText = substr($text, 0, $markerPosition + 1);
+
+            $markup .= $this->unmarkedText($unmarkedText);
+
+            $text = substr($text, $markerPosition + 1);
         }
 
         $markup .= $this->unmarkedText($text);
@@ -1054,7 +1142,6 @@ class Parsedown
         if (preg_match('/^('.$marker.'+)[ ]*(.+?)[ ]*(?<!'.$marker.')\1(?!'.$marker.')/s', $Excerpt['text'], $matches))
         {
             $text = $matches[2];
-            $text = htmlspecialchars($text, ENT_NOQUOTES, 'UTF-8');
             $text = preg_replace("/[ ]*\n/", ' ', $text);
 
             return array(
@@ -1173,6 +1260,7 @@ class Parsedown
         $Element = array(
             'name' => 'a',
             'handler' => 'line',
+            'nonNestables' => array('Url', 'Link'),
             'text' => null,
             'attributes' => array(
                 'href' => null,
@@ -1184,7 +1272,7 @@ class Parsedown
 
         $remainder = $Excerpt['text'];
 
-        if (preg_match('/\[((?:[^][]|(?R))*)\]/', $remainder, $matches))
+        if (preg_match('/\[((?:[^][]++|(?R))*+)\]/', $remainder, $matches))
         {
             $Element['text'] = $matches[1];
 
@@ -1197,7 +1285,7 @@ class Parsedown
             return;
         }
 
-        if (preg_match('/^[(]((?:[^ ()]|[(][^ )]+[)])+)(?:[ ]+("[^"]*"|\'[^\']*\'))?[)]/', $remainder, $matches))
+        if (preg_match('/^[(]\s*+((?:[^ ()]++|[(][^ )]+[)])++)(?:[ ]+("[^"]*"|\'[^\']*\'))?\s*[)]/', $remainder, $matches))
         {
             $Element['attributes']['href'] = $matches[1];
 
@@ -1212,7 +1300,7 @@ class Parsedown
         {
             if (preg_match('/^\s*\[(.*?)\]/', $remainder, $matches))
             {
-                $definition = $matches[1] ? $matches[1] : $Element['text'];
+                $definition = strlen($matches[1]) ? $matches[1] : $Element['text'];
                 $definition = strtolower($definition);
 
                 $extent += strlen($matches[0]);
@@ -1233,8 +1321,6 @@ class Parsedown
             $Element['attributes']['title'] = $Definition['title'];
         }
 
-        $Element['attributes']['href'] = str_replace(array('&', '<'), array('&amp;', '&lt;'), $Element['attributes']['href']);
-
         return array(
             'extent' => $extent,
             'element' => $Element,
@@ -1243,12 +1329,12 @@ class Parsedown
 
     protected function inlineMarkup($Excerpt)
     {
-        if ($this->markupEscaped or strpos($Excerpt['text'], '>') === false)
+        if ($this->markupEscaped or $this->safeMode or strpos($Excerpt['text'], '>') === false)
         {
             return;
         }
 
-        if ($Excerpt['text'][1] === '/' and preg_match('/^<\/\w*[ ]*>/s', $Excerpt['text'], $matches))
+        if ($Excerpt['text'][1] === '/' and preg_match('/^<\/\w[\w-]*[ ]*>/s', $Excerpt['text'], $matches))
         {
             return array(
                 'markup' => $matches[0],
@@ -1264,7 +1350,7 @@ class Parsedown
             );
         }
 
-        if ($Excerpt['text'][1] !== ' ' and preg_match('/^<\w*(?:[ ]*'.$this->regexHtmlAttribute.')*[ ]*\/?>/s', $Excerpt['text'], $matches))
+        if ($Excerpt['text'][1] !== ' ' and preg_match('/^<\w[\w-]*(?:[ ]*'.$this->regexHtmlAttribute.')*[ ]*\/?>/s', $Excerpt['text'], $matches))
         {
             return array(
                 'markup' => $matches[0],
@@ -1323,14 +1409,16 @@ class Parsedown
 
         if (preg_match('/\bhttps?:[\/]{2}[^\s<]+\b\/*/ui', $Excerpt['context'], $matches, PREG_OFFSET_CAPTURE))
         {
+            $url = $matches[0][0];
+
             $Inline = array(
                 'extent' => strlen($matches[0][0]),
                 'position' => $matches[0][1],
                 'element' => array(
                     'name' => 'a',
-                    'text' => $matches[0][0],
+                    'text' => $url,
                     'attributes' => array(
-                        'href' => $matches[0][0],
+                        'href' => $url,
                     ),
                 ),
             );
@@ -1343,7 +1431,7 @@ class Parsedown
     {
         if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<(\w+:\/{2}[^ >]+)>/i', $Excerpt['text'], $matches))
         {
-            $url = str_replace(array('&', '<'), array('&amp;', '&lt;'), $matches[1]);
+            $url = $matches[1];
 
             return array(
                 'extent' => strlen($matches[0]),
@@ -1381,6 +1469,11 @@ class Parsedown
 
     protected function element(array $Element)
     {
+        if ($this->safeMode)
+        {
+            $Element = $this->sanitiseElement($Element);
+        }
+
         $markup = '<'.$Element['name'];
 
         if (isset($Element['attributes']))
@@ -1392,7 +1485,7 @@ class Parsedown
                     continue;
                 }
 
-                $markup .= ' '.$name.'="'.$value.'"';
+                $markup .= ' '.$name.'="'.self::escape($value).'"';
             }
         }
 
@@ -1400,13 +1493,18 @@ class Parsedown
         {
             $markup .= '>';
 
+            if (!isset($Element['nonNestables'])) 
+            {
+                $Element['nonNestables'] = array();
+            }
+
             if (isset($Element['handler']))
             {
-                $markup .= $this->{$Element['handler']}($Element['text']);
+                $markup .= $this->{$Element['handler']}($Element['text'], $Element['nonNestables']);
             }
             else
             {
-                $markup .= $Element['text'];
+                $markup .= self::escape($Element['text'], true);
             }
 
             $markup .= '</'.$Element['name'].'>';
@@ -1465,10 +1563,77 @@ class Parsedown
         return $markup;
     }
 
+    protected function sanitiseElement(array $Element)
+    {
+        static $goodAttribute = '/^[a-zA-Z0-9][a-zA-Z0-9-_]*+$/';
+        static $safeUrlNameToAtt  = array(
+            'a'   => 'href',
+            'img' => 'src',
+        );
+
+        if (isset($safeUrlNameToAtt[$Element['name']]))
+        {
+            $Element = $this->filterUnsafeUrlInAttribute($Element, $safeUrlNameToAtt[$Element['name']]);
+        }
+
+        if ( ! empty($Element['attributes']))
+        {
+            foreach ($Element['attributes'] as $att => $val)
+            {
+                # filter out badly parsed attribute
+                if ( ! preg_match($goodAttribute, $att))
+                {
+                    unset($Element['attributes'][$att]);
+                }
+                # dump onevent attribute
+                elseif (self::striAtStart($att, 'on'))
+                {
+                    unset($Element['attributes'][$att]);
+                }
+            }
+        }
+
+        return $Element;
+    }
+
+    protected function filterUnsafeUrlInAttribute(array $Element, $attribute)
+    {
+        foreach ($this->safeLinksWhitelist as $scheme)
+        {
+            if (self::striAtStart($Element['attributes'][$attribute], $scheme))
+            {
+                return $Element;
+            }
+        }
+
+        $Element['attributes'][$attribute] = str_replace(':', '%3A', $Element['attributes'][$attribute]);
+
+        return $Element;
+    }
+
     #
     # Static Methods
     #
 
+    protected static function escape($text, $allowQuotes = false)
+    {
+        return htmlspecialchars($text, $allowQuotes ? ENT_NOQUOTES : ENT_QUOTES, 'UTF-8');
+    }
+
+    protected static function striAtStart($string, $needle)
+    {
+        $len = strlen($needle);
+
+        if ($len > strlen($string))
+        {
+            return false;
+        }
+        else
+        {
+            return strtolower(substr($string, 0, $len)) === strtolower($needle);
+        }
+    }
+
     static function instance($name = 'default')
     {
         if (isset(self::$instances[$name]))
@@ -1476,7 +1641,7 @@ class Parsedown
             return self::$instances[$name];
         }
 
-        $instance = new self();
+        $instance = new static();
 
         self::$instances[$name] = $instance;
 
@@ -1519,10 +1684,10 @@ class Parsedown
         'b', 'em', 'big', 'cite', 'small', 'spacer', 'listing',
         'i', 'rp', 'del', 'code',          'strike', 'marquee',
         'q', 'rt', 'ins', 'font',          'strong',
-        's', 'tt', 'sub', 'mark',
-        'u', 'xm', 'sup', 'nobr',
-                   'var', 'ruby',
-                   'wbr', 'span',
-                          'time',
+        's', 'tt', 'kbd', 'mark',
+        'u', 'xm', 'sub', 'nobr',
+                   'sup', 'ruby',
+                   'var', 'span',
+                   'wbr', 'time',
     );
 }

README.md

@@ -1,3 +1,5 @@
+> I also make [Caret](https://caret.io?ref=parsedown) - a Markdown editor for Mac and PC.
+
 ## Parsedown
 
 [![Build Status](https://img.shields.io/travis/erusev/parsedown/master.svg?style=flat-square)](https://travis-ci.org/erusev/parsedown)
@@ -5,15 +7,19 @@
 
 Better Markdown Parser in PHP
 
-[See Demo](http://parsedown.org/demo)
+[Demo](http://parsedown.org/demo) |
+[Benchmarks](http://parsedown.org/speed) |
+[Tests](http://parsedown.org/tests/) |
+[Documentation](https://github.com/erusev/parsedown/wiki/)
 
 ### Features
 
-* [Fast](http://parsedown.org/speed)
-* [Consistent](http://parsedown.org/consistency)
+* One File
+* No Dependencies
+* Super Fast
+* Extensible
 * [GitHub flavored](https://help.github.com/articles/github-flavored-markdown)
-* [Tested](http://parsedown.org/tests/) in PHP 5.3, 5.4, 5.5, 5.6 and [HHVM](http://www.hhvm.com/)
-* [Extensible](https://github.com/erusev/parsedown/wiki/Writing-Extensions)
+* Tested in 5.3 to 7.1 and in HHVM
 * [Markdown Extra extension](https://github.com/erusev/parsedown-extra)
 
 ### Installation
@@ -28,13 +34,42 @@ $Parsedown = new Parsedown();
 echo $Parsedown->text('Hello _Parsedown_!'); # prints: <p>Hello <em>Parsedown</em>!</p>
 ```
 
-More examples in [the wiki](https://github.com/erusev/parsedown/wiki/Usage) and in [this video tutorial](http://youtu.be/wYZBY8DEikI).
+More examples in [the wiki](https://github.com/erusev/parsedown/wiki/) and in [this video tutorial](http://youtu.be/wYZBY8DEikI).
+
+### Security
+
+Parsedown is capable of escaping user-input within the HTML that it generates. Additionally Parsedown will apply sanitisation to additional scripting vectors (such as scripting link destinations) that are introduced by the markdown syntax itself.
+
+To tell Parsedown that it is processing untrusted user-input, use the following:
+```php
+$parsedown = new Parsedown;
+$parsedown->setSafeMode(true);
+```
+
+If instead, you wish to allow HTML within untrusted user-input, but still want output to be free from XSS it is recommended that you make use of a HTML sanitiser that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
+
+In both cases you should strongly consider employing defence-in-depth measures, like [deploying a Content-Security-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/) (a browser security feature) so that your page is likely to be safe even if an attacker finds a vulnerability in one of the first lines of defence above.
+
+#### Security of Parsedown Extensions
+
+Safe mode does not necessarily yield safe results when using extensions to Parsedown. Extensions should be evaluated on their own to determine their specific safety against XSS.
+
+### Escaping HTML
+> ⚠️  **WARNING:** This method isn't safe from XSS!
+
+If you wish to escape HTML **in trusted input**, you can use the following:
+```php
+$parsedown = new Parsedown;
+$parsedown->setMarkupEscaped(true);
+```
+
+Beware that this still allows users to insert unsafe scripting vectors, such as links like `[xss](javascript:alert%281%29)`.
 
 ### Questions
 
 **How does Parsedown work?**
 
-It tries to read Markdown like a human. First, it looks at the lines. It’s interested in how the lines start. This helps it recognise blocks. It knows, for example, that if a line start with a `-` then it perhaps belong to a list. Once it recognises the blocks, it continues to the content. As it reads, it watches out for special characters. This helps it recognise inline elements (or inlines).
+It tries to read Markdown like a human. First, it looks at the lines. It’s interested in how the lines start. This helps it recognise blocks. It knows, for example, that if a line starts with a `-` then perhaps it belongs to a list. Once it recognises the blocks, it continues to the content. As it reads, it watches out for special characters. This helps it recognise inline elements (or inlines).
 
 We call this approach "line based". We believe that Parsedown is the first Markdown parser to use it. Since the release of Parsedown, other developers have used the same approach to develop other Markdown parsers in PHP and in other languages.
 
@@ -44,8 +79,8 @@ It passes most of the CommonMark tests. Most of the tests that don't pass deal w
 
 **Who uses it?**
 
-[phpDocumentor](http://www.phpdoc.org/), [October CMS](http://octobercms.com/), [Bolt CMS](http://bolt.cm/), [Kirby CMS](http://getkirby.com/), [Grav CMS](http://getgrav.org/), [Statamic CMS](http://www.statamic.com/),  [RaspberryPi.org](http://www.raspberrypi.org/) and [more](https://www.versioneye.com/php/erusev:parsedown/references).
+[Laravel Framework](https://laravel.com/), [Bolt CMS](http://bolt.cm/), [Grav CMS](http://getgrav.org/), [Herbie CMS](http://www.getherbie.org/), [Kirby CMS](http://getkirby.com/), [October CMS](http://octobercms.com/), [Pico CMS](http://picocms.org), [Statamic CMS](http://www.statamic.com/), [phpDocumentor](http://www.phpdoc.org/), [RaspberryPi.org](http://www.raspberrypi.org/), [Symfony demo](https://github.com/symfony/symfony-demo) and [more](https://packagist.org/packages/erusev/parsedown/dependents).
 
 **How can I help?**
 
-Use it, star it, share it and if you feel generous, [donate some money](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=528P3NZQMP8N2).
+Use it, star it, share it and if you feel generous, [donate](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=528P3NZQMP8N2).

composer.json

@@ -12,7 +12,22 @@
             "homepage": "http://erusev.com"
         }
     ],
+    "require": {
+        "php": ">=5.3.0",
+        "ext-mbstring": "*"
+    },
+    "require-dev": {
+        "phpunit/phpunit": "^4.8.35"
+    },
     "autoload": {
         "psr-0": {"Parsedown": ""}
+    },
+    "autoload-dev": {
+        "psr-0": {
+            "TestParsedown": "test/",
+            "ParsedownTest": "test/",
+            "CommonMarkTest": "test/",
+            "CommonMarkTestWeak": "test/"
+        }
     }
-}
+}

phpunit.xml.dist

@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<phpunit bootstrap="test/bootstrap.php" colors="true">
+<phpunit bootstrap="vendor/autoload.php" colors="true">
 	<testsuites>
 		<testsuite>
 			<file>test/ParsedownTest.php</file>
 		</testsuite>
 	</testsuites>
-</phpunit>
+</phpunit>

test/CommonMarkTest.php

@@ -1,74 +0,0 @@
-<?php
-
-/**
- * Test Parsedown against the CommonMark spec.
- *
- * Some code based on the original JavaScript test runner by jgm.
- *
- * @link http://commonmark.org/ CommonMark
- * @link http://git.io/8WtRvQ JavaScript test runner
- */
-class CommonMarkTest extends PHPUnit_Framework_TestCase
-{
-    const SPEC_URL = 'https://raw.githubusercontent.com/jgm/stmd/master/spec.txt';
-
-    /**
-     * @dataProvider data
-     * @param $section
-     * @param $markdown
-     * @param $expectedHtml
-     */
-    function test_($section, $markdown, $expectedHtml)
-    {
-        $Parsedown = new Parsedown();
-        $Parsedown->setUrlsLinked(false);
-
-        $actualHtml = $Parsedown->text($markdown);
-        $actualHtml = $this->normalizeMarkup($actualHtml);
-
-        $this->assertEquals($expectedHtml, $actualHtml);
-    }
-
-    function data()
-    {
-        $spec = file_get_contents(self::SPEC_URL);
-        $spec = strstr($spec, '<!-- END TESTS -->', true);
-
-        $tests = array();
-        $currentSection = '';
-
-        preg_replace_callback(
-            '/^\.\n([\s\S]*?)^\.\n([\s\S]*?)^\.$|^#{1,6} *(.*)$/m',
-            function($matches) use ( & $tests, & $currentSection, & $testCount) {
-                if (isset($matches[3]) and $matches[3]) {
-                    $currentSection = $matches[3];
-                } else {
-                    $testCount++;
-                    $markdown = $matches[1];
-                    $markdown = preg_replace('/→/', "\t", $markdown);
-                    $expectedHtml = $matches[2];
-                    $expectedHtml = $this->normalizeMarkup($expectedHtml);
-                    $tests []= array(
-                        $currentSection, # section
-                        $markdown, # markdown
-                        $expectedHtml, # html
-                    );
-                }
-            },
-            $spec
-        );
-
-        return $tests;
-    }
-
-    private function normalizeMarkup($markup)
-    {
-        $markup = preg_replace("/\n+/", "\n", $markup);
-        $markup = preg_replace('/^\s+/m', '', $markup);
-        $markup = preg_replace('/^((?:<[\w]+>)+)\n/m', '$1', $markup);
-        $markup = preg_replace('/\n((?:<\/[\w]+>)+)$/m', '$1', $markup);
-        $markup = trim($markup);
-
-        return $markup;
-    }
-}

test/CommonMarkTestStrict.php

@@ -0,0 +1,71 @@
+<?php
+
+/**
+ * Test Parsedown against the CommonMark spec
+ *
+ * @link http://commonmark.org/ CommonMark
+ */
+class CommonMarkTestStrict extends PHPUnit_Framework_TestCase
+{
+    const SPEC_URL = 'https://raw.githubusercontent.com/jgm/CommonMark/master/spec.txt';
+
+    protected $parsedown;
+
+    protected function setUp()
+    {
+        $this->parsedown = new TestParsedown();
+        $this->parsedown->setUrlsLinked(false);
+    }
+
+    /**
+     * @dataProvider data
+     * @param $id
+     * @param $section
+     * @param $markdown
+     * @param $expectedHtml
+     */
+    public function testExample($id, $section, $markdown, $expectedHtml)
+    {
+        $actualHtml = $this->parsedown->text($markdown);
+        $this->assertEquals($expectedHtml, $actualHtml);
+    }
+
+    /**
+     * @return array
+     */
+    public function data()
+    {
+        $spec = file_get_contents(self::SPEC_URL);
+        if ($spec === false) {
+            $this->fail('Unable to load CommonMark spec from ' . self::SPEC_URL);
+        }
+
+        $spec = str_replace("\r\n", "\n", $spec);
+        $spec = strstr($spec, '<!-- END TESTS -->', true);
+
+        $matches = array();
+        preg_match_all('/^`{32} example\n((?s).*?)\n\.\n(?:|((?s).*?)\n)`{32}$|^#{1,6} *(.*?)$/m', $spec, $matches, PREG_SET_ORDER);
+
+        $data = array();
+        $currentId = 0;
+        $currentSection = '';
+        foreach ($matches as $match) {
+            if (isset($match[3])) {
+                $currentSection = $match[3];
+            } else {
+                $currentId++;
+                $markdown = str_replace('→', "\t", $match[1]);
+                $expectedHtml = isset($match[2]) ? str_replace('→', "\t", $match[2]) : '';
+
+                $data[$currentId] = array(
+                    'id' => $currentId,
+                    'section' => $currentSection,
+                    'markdown' => $markdown,
+                    'expectedHtml' => $expectedHtml
+                );
+            }
+        }
+
+        return $data;
+    }
+}

test/CommonMarkTestWeak.php

@@ -0,0 +1,63 @@
+<?php
+require_once(__DIR__ . '/CommonMarkTestStrict.php');
+
+/**
+ * Test Parsedown against the CommonMark spec, but less aggressive
+ *
+ * The resulting HTML markup is cleaned up before comparison, so examples
+ * which would normally fail due to actually invisible differences (e.g.
+ * superfluous whitespaces), don't fail. However, cleanup relies on block
+ * element detection. The detection doesn't work correctly when a element's
+ * `display` CSS property is manipulated. According to that this test is only
+ * a interim solution on Parsedown's way to full CommonMark compatibility.
+ *
+ * @link http://commonmark.org/ CommonMark
+ */
+class CommonMarkTestWeak extends CommonMarkTestStrict
+{
+    protected $textLevelElementRegex;
+
+    protected function setUp()
+    {
+        parent::setUp();
+
+        $textLevelElements = $this->parsedown->getTextLevelElements();
+        array_walk($textLevelElements, function (&$element) {
+            $element = preg_quote($element, '/');
+        });
+        $this->textLevelElementRegex = '\b(?:' . implode('|', $textLevelElements) . ')\b';
+    }
+
+    /**
+     * @dataProvider data
+     * @param $id
+     * @param $section
+     * @param $markdown
+     * @param $expectedHtml
+     */
+    public function testExample($id, $section, $markdown, $expectedHtml)
+    {
+        $expectedHtml = $this->cleanupHtml($expectedHtml);
+
+        $actualHtml = $this->parsedown->text($markdown);
+        $actualHtml = $this->cleanupHtml($actualHtml);
+
+        $this->assertEquals($expectedHtml, $actualHtml);
+    }
+
+    protected function cleanupHtml($markup)
+    {
+        // invisible whitespaces at the beginning and end of block elements
+        // however, whitespaces at the beginning of <pre> elements do matter
+        $markup = preg_replace(
+            array(
+                '/(<(?!(?:' . $this->textLevelElementRegex . '|\bpre\b))\w+\b[^>]*>(?:<' . $this->textLevelElementRegex . '[^>]*>)*)\s+/s',
+                '/\s+((?:<\/' . $this->textLevelElementRegex . '>)*<\/(?!' . $this->textLevelElementRegex . ')\w+\b>)/s'
+            ),
+            '$1',
+            $markup
+        );
+
+        return $markup;
+    }
+}

test/ParsedownTest.php

@@ -1,6 +1,8 @@
 <?php
 
-class ParsedownTest extends PHPUnit_Framework_TestCase
+use PHPUnit\Framework\TestCase;
+
+class ParsedownTest extends TestCase
 {
     final function __construct($name = null, array $data = array(), $dataName = '')
     {
@@ -27,7 +29,7 @@ class ParsedownTest extends PHPUnit_Framework_TestCase
      */
     protected function initParsedown()
     {
-        $Parsedown = new Parsedown();
+        $Parsedown = new TestParsedown();
 
         return $Parsedown;
     }
@@ -46,6 +48,8 @@ class ParsedownTest extends PHPUnit_Framework_TestCase
         $expectedMarkup = str_replace("\r\n", "\n", $expectedMarkup);
         $expectedMarkup = str_replace("\r", "\n", $expectedMarkup);
 
+        $this->Parsedown->setSafeMode(substr($test, 0, 3) === 'xss');
+
         $actualMarkup = $this->Parsedown->text($markdown);
 
         $this->assertEquals($expectedMarkup, $actualMarkup);
@@ -132,8 +136,27 @@ color: red;
 <p>comment</p>
 <p>&lt;!-- html comment --&gt;</p>
 EXPECTED_HTML;
-        $parsedownWithNoMarkup = new Parsedown();
+
+        $parsedownWithNoMarkup = new TestParsedown();
         $parsedownWithNoMarkup->setMarkupEscaped(true);
         $this->assertEquals($expectedHtml, $parsedownWithNoMarkup->text($markdownWithHtml));
     }
+
+    public function testLateStaticBinding()
+    {
+        $parsedown = Parsedown::instance();
+        $this->assertInstanceOf('Parsedown', $parsedown);
+
+        // After instance is already called on Parsedown
+        // subsequent calls with the same arguments return the same instance
+        $sameParsedown = TestParsedown::instance();
+        $this->assertInstanceOf('Parsedown', $sameParsedown);
+        $this->assertSame($parsedown, $sameParsedown);
+
+        $testParsedown = TestParsedown::instance('test late static binding');
+        $this->assertInstanceOf('TestParsedown', $testParsedown);
+
+        $sameInstanceAgain = TestParsedown::instance('test late static binding');
+        $this->assertSame($testParsedown, $sameInstanceAgain);
+    }
 }

test/TestParsedown.php

@@ -0,0 +1,9 @@
+<?php
+
+class TestParsedown extends Parsedown
+{
+    public function getTextLevelElements()
+    {
+        return $this->textLevelElements;
+    }
+}

test/bootstrap.php

@@ -1,3 +0,0 @@
-<?php
-
-include 'Parsedown.php';

test/data/fenced_code_block.html

@@ -3,4 +3,9 @@
 $message = 'fenced code block';
 echo $message;</code></pre>
 <pre><code>tilde</code></pre>
-<pre><code class="language-php">echo 'language identifier';</code></pre>
+<pre><code class="language-php">echo 'language identifier';</code></pre>
+<pre><code class="language-c#">echo 'language identifier with non words';</code></pre>
+<pre><code class="language-html+php">&lt;?php
+echo "Hello World";
+?&gt;
+&lt;a href="http://auraphp.com" &gt;Aura Project&lt;/a&gt;</code></pre>

test/data/fenced_code_block.md

@@ -11,4 +11,15 @@ tilde
 
 ```php
 echo 'language identifier';
+```
+
+```c#
+echo 'language identifier with non words';
+```
+
+```html+php
+<?php
+echo "Hello World";
+?>
+<a href="http://auraphp.com" >Aura Project</a>
 ```

test/data/multiline_lists.html

@@ -0,0 +1,10 @@
+<ol>
+<li>
+<p>One
+First body copy</p>
+</li>
+<li>
+<p>Two
+Last body copy</p>
+</li>
+</ol>

test/data/multiline_lists.md

@@ -0,0 +1,5 @@
+1. One
+   First body copy
+
+2. Two
+   Last body copy

test/data/ordered_list.html

@@ -8,6 +8,6 @@
 <li>two</li>
 </ol>
 <p>large numbers:</p>
-<ol>
+<ol start="123">
 <li>one</li>
 </ol>

test/data/paragraph_list.html

@@ -8,5 +8,7 @@
 <li>
 <p>li</p>
 </li>
-<li>li</li>
+<li>
+<p>li</p>
+</li>
 </ul>

test/data/sparse_dense_list.html

@@ -2,6 +2,10 @@
 <li>
 <p>li</p>
 </li>
-<li>li</li>
-<li>li</li>
+<li>
+<p>li</p>
+</li>
+<li>
+<p>li</p>
+</li>
 </ul>

test/data/sparse_list.html

@@ -2,7 +2,9 @@
 <li>
 <p>li</p>
 </li>
-<li>li</li>
+<li>
+<p>li</p>
+</li>
 </ul>
 <hr />
 <ul>

test/data/xss_attribute_encoding.html

@@ -0,0 +1,6 @@
+<p><a href="https://www.example.com&quot;">xss</a></p>
+<p><img src="https://www.example.com&quot;" alt="xss" /></p>
+<p><a href="https://www.example.com&#039;">xss</a></p>
+<p><img src="https://www.example.com&#039;" alt="xss" /></p>
+<p><img src="https://www.example.com" alt="xss&quot;" /></p>
+<p><img src="https://www.example.com" alt="xss&#039;" /></p>

test/data/xss_attribute_encoding.md

@@ -0,0 +1,11 @@
+[xss](https://www.example.com")
+
+![xss](https://www.example.com")
+
+[xss](https://www.example.com')
+
+![xss](https://www.example.com')
+
+![xss"](https://www.example.com)
+
+![xss'](https://www.example.com)

test/data/xss_bad_url.html

@@ -0,0 +1,16 @@
+<p><a href="javascript%3Aalert(1)">xss</a></p>
+<p><a href="javascript%3Aalert(1)">xss</a></p>
+<p><a href="javascript%3A//alert(1)">xss</a></p>
+<p><a href="javascript&amp;colon;alert(1)">xss</a></p>
+<p><img src="javascript%3Aalert(1)" alt="xss" /></p>
+<p><img src="javascript%3Aalert(1)" alt="xss" /></p>
+<p><img src="javascript%3A//alert(1)" alt="xss" /></p>
+<p><img src="javascript&amp;colon;alert(1)" alt="xss" /></p>
+<p><a href="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><a href="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><a href="data%3A//text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><a href="data&amp;colon;text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
+<p><img src="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
+<p><img src="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
+<p><img src="data%3A//text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
+<p><img src="data&amp;colon;text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>

test/data/xss_bad_url.md

@@ -0,0 +1,31 @@
+[xss](javascript:alert(1))
+
+[xss]( javascript:alert(1))
+
+[xss](javascript://alert(1))
+
+[xss](javascript:alert(1))
+
+![xss](javascript:alert(1))
+
+![xss]( javascript:alert(1))
+
+![xss](javascript://alert(1))
+
+![xss](javascript:alert(1))
+
+[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+[xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+[xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+![xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+![xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
+
+![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)

test/data/xss_text_encoding.html

@@ -0,0 +1,7 @@
+<p>&lt;script&gt;alert(1)&lt;/script&gt;</p>
+<p>&lt;script&gt;</p>
+<p>alert(1)</p>
+<p>&lt;/script&gt;</p>
+<p>&lt;script&gt;
+alert(1)
+&lt;/script&gt;</p>

test/data/xss_text_encoding.md

@@ -0,0 +1,12 @@
+<script>alert(1)</script>
+
+<script>
+
+alert(1)
+
+</script>
+
+
+<script>
+alert(1)
+</script>