Increment version for release

Merge pull request #745 from aidantwoods/dev-1.7.x/opt-in-rawHtml
Opt in raw html
2023-08-10 21:13:06 +03:00 · 2019-12-30 22:54:17 +00:00 · 2019-12-30 22:51:57 +00:00 · 2019-12-30 22:47:43 +00:00 · 2019-12-30 22:37:17 +00:00 · 2019-12-30 22:37:17 +00:00
6 changed files with 124 additions and 9 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -12,13 +12,13 @@ matrix:
    - php: 5.6
    - php: 7.0
    - php: 7.1
+    - php: 7.2
+    - php: 7.3
+    - php: 7.4
    - php: nightly
-    - php: hhvm
-    - php: hhvm-nightly
  fast_finish: true
  allow_failures:
    - php: nightly
-    - php: hhvm-nightly

 install:
  - composer install --prefer-dist --no-interaction --no-progress
--- a/Parsedown.php
+++ b/Parsedown.php
@ -17,7 +17,7 @@ class Parsedown
 {
    # ~

-    const version = '1.7.1';
+    const version = '1.7.4';

    # ~

@ -429,7 +429,21 @@ class Parsedown

            if (isset($matches[1]))
            {
-                $class = 'language-'.$matches[1];
+                /**
+                 * https://www.w3.org/TR/2011/WD-html5-20110525/elements.html#classes
+                 * Every HTML element may have a class attribute specified.
+                 * The attribute, if specified, must have a value that is a set
+                 * of space-separated tokens representing the various classes
+                 * that the element belongs to.
+                 * [...]
+                 * The space characters, for the purposes of this specification,
+                 * are U+0020 SPACE, U+0009 CHARACTER TABULATION (tab),
+                 * U+000A LINE FEED (LF), U+000C FORM FEED (FF), and
+                 * U+000D CARRIAGE RETURN (CR).
+                 */
+                $language = substr($matches[1], 0, strcspn($matches[1], " \t\n\f\r"));
+
+                $class = 'language-'.$language;

                $Element['attributes'] = array(
                    'class' => $class,
@ -1475,22 +1489,41 @@ class Parsedown
            }
        }

+        $permitRawHtml = false;
+
        if (isset($Element['text']))
+        {
+            $text = $Element['text'];
+        }
+        // very strongly consider an alternative if you're writing an
+        // extension
+        elseif (isset($Element['rawHtml']))
+        {
+            $text = $Element['rawHtml'];
+            $allowRawHtmlInSafeMode = isset($Element['allowRawHtmlInSafeMode']) && $Element['allowRawHtmlInSafeMode'];
+            $permitRawHtml = !$this->safeMode || $allowRawHtmlInSafeMode;
+        }
+
+        if (isset($text))
        {
            $markup .= '>';

-            if (!isset($Element['nonNestables'])) 
+            if (!isset($Element['nonNestables']))
            {
                $Element['nonNestables'] = array();
            }

            if (isset($Element['handler']))
            {
-                $markup .= $this->{$Element['handler']}($Element['text'], $Element['nonNestables']);
+                $markup .= $this->{$Element['handler']}($text, $Element['nonNestables']);
+            }
+            elseif (!$permitRawHtml)
+            {
+                $markup .= self::escape($text, true);
            }
            else
            {
-                $markup .= self::escape($Element['text'], true);
+                $markup .= $text;
            }

            $markup .= '</'.$Element['name'].'>';
--- a/test/ParsedownTest.php
+++ b/test/ParsedownTest.php
@ -1,5 +1,7 @@
 <?php

+require 'SampleExtensions.php';
+
 use PHPUnit\Framework\TestCase;

 class ParsedownTest extends TestCase
@ -55,6 +57,40 @@ class ParsedownTest extends TestCase
        $this->assertEquals($expectedMarkup, $actualMarkup);
    }

+    function testRawHtml()
+    {
+        $markdown = "```php\nfoobar\n```";
+        $expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
+        $expectedSafeMarkup = '<pre><code class="language-php">&lt;p&gt;foobar&lt;/p&gt;</code></pre>';
+
+        $unsafeExtension = new UnsafeExtension;
+        $actualMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedMarkup, $actualMarkup);
+
+        $unsafeExtension->setSafeMode(true);
+        $actualSafeMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
+    }
+
+    function testTrustDelegatedRawHtml()
+    {
+        $markdown = "```php\nfoobar\n```";
+        $expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
+        $expectedSafeMarkup = $expectedMarkup;
+
+        $unsafeExtension = new TrustDelegatedExtension;
+        $actualMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedMarkup, $actualMarkup);
+
+        $unsafeExtension->setSafeMode(true);
+        $actualSafeMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
+    }
+
    function data()
    {
        $data = array();
--- a/test/SampleExtensions.php
+++ b/test/SampleExtensions.php
@ -0,0 +1,39 @@
+<?php
+
+class UnsafeExtension extends Parsedown
+{
+    protected function blockFencedCodeComplete($Block)
+    {
+        $text = $Block['element']['text']['text'];
+        unset($Block['element']['text']['text']);
+
+        // WARNING: There is almost always a better way of doing things!
+        //
+        // This example is one of them, unsafe behaviour is NOT needed here.
+        // Only use this if you trust the input and have no idea what
+        // the output HTML will look like (e.g. using an external parser).
+        $Block['element']['text']['rawHtml'] = "<p>$text</p>";
+
+        return $Block;
+    }
+}
+
+class TrustDelegatedExtension extends Parsedown
+{
+    protected function blockFencedCodeComplete($Block)
+    {
+        $text = $Block['element']['text']['text'];
+        unset($Block['element']['text']['text']);
+
+        // WARNING: There is almost always a better way of doing things!
+        //
+        // This behaviour is NOT needed in the demonstrated case.
+        // Only use this if you are sure that the result being added into
+        // rawHtml is safe.
+        // (e.g. using an external parser with escaping capabilities).
+        $Block['element']['text']['rawHtml'] = "<p>$text</p>";
+        $Block['element']['text']['allowRawHtmlInSafeMode'] = true;
+
+        return $Block;
+    }
+}
--- a/test/data/fenced_code_block.html
+++ b/test/data/fenced_code_block.html
@ -8,4 +8,6 @@ echo $message;</code></pre>
 <pre><code class="language-html+php">&lt;?php
 echo "Hello World";
 ?&gt;
-&lt;a href="http://auraphp.com" &gt;Aura Project&lt;/a&gt;</code></pre>
+&lt;a href="http://auraphp.com" &gt;Aura Project&lt;/a&gt;</code></pre>
+<pre><code class="language-php">&lt;?php
+echo "Hello World";</code></pre>
--- a/test/data/fenced_code_block.md
+++ b/test/data/fenced_code_block.md
@ -22,4 +22,9 @@ echo 'language identifier with non words';
 echo "Hello World";
 ?>
 <a href="http://auraphp.com" >Aura Project</a>
+```
+
+```php some-class
+<?php
+echo "Hello World";
 ```
Author	SHA1	Message	Date
Aidan Woods	cb17b6477d	Increment version for release	2019-12-30 22:54:17 +00:00
Aidan Woods	21f99b156a	Merge pull request #745 from aidantwoods/dev-1.7.x/opt-in-rawHtml Opt in raw html	2019-12-30 22:51:57 +00:00
Aidan Woods	791faca8af	Test on 7.4	2019-12-30 22:47:43 +00:00
Aidan Woods	add8d18c80	Add rawHtml without using it (extensions may opt-in)	2019-12-30 22:37:17 +00:00
Aidan Woods	7073ac3ed1	Dev for 1.7.4	2019-12-30 22:37:17 +00:00
Aidan Woods	3d2b25b79d	Add test to prevent regression	2019-04-10 21:49:32 +01:00
Aidan Woods	6d89393817	New release due to mislabeled previous tag	2019-03-17 18:48:37 +00:00
Aidan Woods	d60bcdc469	Bump version	2019-03-17 17:19:46 +00:00
Aidan Woods	c390a9e406	Merge pull request #700 from aidantwoods/fix/spaces-in-class-names-1.7.x [1.7.x] Fix spaces in class names	2019-03-17 17:14:45 +00:00
Aidan Woods	0f1e9da8f4	Fix test platforms	2019-03-17 17:05:15 +00:00
Aidan Woods	bc003952fc	[1.7.x] Fix spaces in class names	2019-03-17 16:49:45 +00:00