From 1140613fc7aa1393a6274812deab253b90027ae7 Mon Sep 17 00:00:00 2001 From: naNuke Date: Wed, 21 Jan 2015 03:50:36 +0100 Subject: [PATCH] Prevent various XSS attacks --- Parsedown.php | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/Parsedown.php b/Parsedown.php index f5dd0fa..5d810de 100644 --- a/Parsedown.php +++ b/Parsedown.php @@ -75,6 +75,15 @@ class Parsedown protected $urlsLinked = true; + function setSafeLinksEnabled($safeLinksEnabled) + { + $this->safeLinksEnabled = $safeLinksEnabled; + + return $this; + } + + protected $safeLinksEnabled = true; + # # Lines # @@ -1253,7 +1262,13 @@ class Parsedown $Element['attributes']['title'] = $Definition['title']; } - $Element['attributes']['href'] = str_replace(array('&', '<'), array('&', '<'), $Element['attributes']['href']); + if ( $this->safeLinksEnabled && stripos($Element['attributes']['href'], 'javascript:') === 0 ) + { + return; + } + + $Element['attributes']['href'] = htmlspecialchars($Element['attributes']['href']); + $Element['text'] = htmlspecialchars($Element['text']); return array( 'extent' => $extent,