Merge branch 'master' into patch-4
This commit is contained in:
commit
21cdd8a0b3
|
@ -0,0 +1,6 @@
|
|||
# Ignore all tests for archive
|
||||
/test export-ignore
|
||||
/.gitattributes export-ignore
|
||||
/.gitignore export-ignore
|
||||
/.travis.yml export-ignore
|
||||
/phpunit.xml.dist export-ignore
|
|
@ -0,0 +1,2 @@
|
|||
composer.lock
|
||||
vendor/
|
31
.travis.yml
31
.travis.yml
|
@ -1,16 +1,29 @@
|
|||
language: php
|
||||
|
||||
php:
|
||||
- 7.1
|
||||
- 7.0
|
||||
- 5.6
|
||||
- 5.5
|
||||
- 5.4
|
||||
- 5.3
|
||||
- hhvm
|
||||
- hhvm-nightly
|
||||
dist: trusty
|
||||
sudo: false
|
||||
|
||||
matrix:
|
||||
include:
|
||||
- php: 5.3
|
||||
dist: precise
|
||||
- php: 5.4
|
||||
- php: 5.5
|
||||
- php: 5.6
|
||||
- php: 7.0
|
||||
- php: 7.1
|
||||
- php: nightly
|
||||
- php: hhvm
|
||||
- php: hhvm-nightly
|
||||
fast_finish: true
|
||||
allow_failures:
|
||||
- php: nightly
|
||||
- php: hhvm-nightly
|
||||
|
||||
install:
|
||||
- composer install --prefer-dist --no-interaction --no-progress
|
||||
|
||||
script:
|
||||
- vendor/bin/phpunit
|
||||
- vendor/bin/phpunit test/CommonMarkTestWeak.php || true
|
||||
- '[ -z "$TRAVIS_TAG" ] || [ "$TRAVIS_TAG" == "$(php -r "require(\"Parsedown.php\"); echo Parsedown::version;")" ]'
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2013 Emanuil Rusev, erusev.com
|
||||
Copyright (c) 2013-2018 Emanuil Rusev, erusev.com
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
||||
this software and associated documentation files (the "Software"), to deal in
|
||||
|
@ -17,4 +17,4 @@ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
|||
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
||||
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
||||
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
||||
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
|
313
Parsedown.php
313
Parsedown.php
|
@ -17,7 +17,7 @@ class Parsedown
|
|||
{
|
||||
# ~
|
||||
|
||||
const version = '1.6.0';
|
||||
const version = '1.7.1';
|
||||
|
||||
# ~
|
||||
|
||||
|
@ -75,6 +75,32 @@ class Parsedown
|
|||
|
||||
protected $urlsLinked = true;
|
||||
|
||||
function setSafeMode($safeMode)
|
||||
{
|
||||
$this->safeMode = (bool) $safeMode;
|
||||
|
||||
return $this;
|
||||
}
|
||||
|
||||
protected $safeMode;
|
||||
|
||||
protected $safeLinksWhitelist = array(
|
||||
'http://',
|
||||
'https://',
|
||||
'ftp://',
|
||||
'ftps://',
|
||||
'mailto:',
|
||||
'data:image/png;base64,',
|
||||
'data:image/gif;base64,',
|
||||
'data:image/jpeg;base64,',
|
||||
'irc:',
|
||||
'ircs:',
|
||||
'git:',
|
||||
'ssh:',
|
||||
'news:',
|
||||
'steam:',
|
||||
);
|
||||
|
||||
#
|
||||
# Lines
|
||||
#
|
||||
|
@ -342,8 +368,6 @@ class Parsedown
|
|||
{
|
||||
$text = $Block['element']['text']['text'];
|
||||
|
||||
$text = htmlspecialchars($text, ENT_NOQUOTES, 'UTF-8');
|
||||
|
||||
$Block['element']['text']['text'] = $text;
|
||||
|
||||
return $Block;
|
||||
|
@ -354,7 +378,7 @@ class Parsedown
|
|||
|
||||
protected function blockComment($Line)
|
||||
{
|
||||
if ($this->markupEscaped)
|
||||
if ($this->markupEscaped or $this->safeMode)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
@ -396,7 +420,7 @@ class Parsedown
|
|||
|
||||
protected function blockFencedCode($Line)
|
||||
{
|
||||
if (preg_match('/^['.$Line['text'][0].']{3,}[ ]*([\w-]+)?[ ]*$/', $Line['text'], $matches))
|
||||
if (preg_match('/^['.$Line['text'][0].']{3,}[ ]*([^`]+)?[ ]*$/', $Line['text'], $matches))
|
||||
{
|
||||
$Element = array(
|
||||
'name' => 'code',
|
||||
|
@ -448,7 +472,7 @@ class Parsedown
|
|||
return $Block;
|
||||
}
|
||||
|
||||
$Block['element']['text']['text'] .= "\n".$Line['body'];;
|
||||
$Block['element']['text']['text'] .= "\n".$Line['body'];
|
||||
|
||||
return $Block;
|
||||
}
|
||||
|
@ -457,8 +481,6 @@ class Parsedown
|
|||
{
|
||||
$text = $Block['element']['text']['text'];
|
||||
|
||||
$text = htmlspecialchars($text, ENT_NOQUOTES, 'UTF-8');
|
||||
|
||||
$Block['element']['text']['text'] = $text;
|
||||
|
||||
return $Block;
|
||||
|
@ -533,7 +555,7 @@ class Parsedown
|
|||
),
|
||||
);
|
||||
|
||||
if($name === 'ol')
|
||||
if($name === 'ol')
|
||||
{
|
||||
$listStart = ltrim(strstr($matches[1], $Block['data']['markerType'], true), '0') ?: '0';
|
||||
|
||||
|
@ -584,6 +606,8 @@ class Parsedown
|
|||
{
|
||||
$Block['li']['text'] []= '';
|
||||
|
||||
$Block['loose'] = true;
|
||||
|
||||
unset($Block['interrupted']);
|
||||
}
|
||||
|
||||
|
@ -641,6 +665,22 @@ class Parsedown
|
|||
}
|
||||
}
|
||||
|
||||
protected function blockListComplete(array $Block)
|
||||
{
|
||||
if (isset($Block['loose']))
|
||||
{
|
||||
foreach ($Block['element']['text'] as &$li)
|
||||
{
|
||||
if (end($li['text']) !== '')
|
||||
{
|
||||
$li['text'] []= '';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $Block;
|
||||
}
|
||||
|
||||
#
|
||||
# Quote
|
||||
|
||||
|
@ -711,8 +751,10 @@ class Parsedown
|
|||
return;
|
||||
}
|
||||
|
||||
if (chop($Line['text'], $Line['text'][0]) === '')
|
||||
{
|
||||
if (
|
||||
chop(chop($Line['text'], ' '), $Line['text'][0]) === ''
|
||||
and $Line['indent'] < 4
|
||||
) {
|
||||
$Block['element']['name'] = $Line['text'][0] === '=' ? 'h1' : 'h2';
|
||||
|
||||
return $Block;
|
||||
|
@ -724,12 +766,12 @@ class Parsedown
|
|||
|
||||
protected function blockMarkup($Line)
|
||||
{
|
||||
if ($this->markupEscaped)
|
||||
if ($this->markupEscaped or $this->safeMode)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if (preg_match('/^<(\w*)(?:[ ]*'.$this->regexHtmlAttribute.')*[ ]*(\/)?>/', $Line['text'], $matches))
|
||||
if (preg_match('/^<[\/]?+(\w*)(?:[ ]*'.$this->regexHtmlAttribute.')*[ ]*(\/)?>/', $Line['text'], $matches))
|
||||
{
|
||||
$element = strtolower($matches[1]);
|
||||
|
||||
|
@ -740,71 +782,20 @@ class Parsedown
|
|||
|
||||
$Block = array(
|
||||
'name' => $matches[1],
|
||||
'depth' => 0,
|
||||
'markup' => $Line['text'],
|
||||
);
|
||||
|
||||
$length = strlen($matches[0]);
|
||||
|
||||
$remainder = substr($Line['text'], $length);
|
||||
|
||||
if (trim($remainder) === '')
|
||||
{
|
||||
if (isset($matches[2]) or in_array($matches[1], $this->voidElements))
|
||||
{
|
||||
$Block['closed'] = true;
|
||||
|
||||
$Block['void'] = true;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
if (isset($matches[2]) or in_array($matches[1], $this->voidElements))
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if (preg_match('/<\/'.$matches[1].'>[ ]*$/i', $remainder))
|
||||
{
|
||||
$Block['closed'] = true;
|
||||
}
|
||||
}
|
||||
|
||||
return $Block;
|
||||
}
|
||||
}
|
||||
|
||||
protected function blockMarkupContinue($Line, array $Block)
|
||||
{
|
||||
if (isset($Block['closed']))
|
||||
if (isset($Block['closed']) or isset($Block['interrupted']))
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if (preg_match('/^<'.$Block['name'].'(?:[ ]*'.$this->regexHtmlAttribute.')*[ ]*>/i', $Line['text'])) # open
|
||||
{
|
||||
$Block['depth'] ++;
|
||||
}
|
||||
|
||||
if (preg_match('/(.*?)<\/'.$Block['name'].'>[ ]*$/i', $Line['text'], $matches)) # close
|
||||
{
|
||||
if ($Block['depth'] > 0)
|
||||
{
|
||||
$Block['depth'] --;
|
||||
}
|
||||
else
|
||||
{
|
||||
$Block['closed'] = true;
|
||||
}
|
||||
}
|
||||
|
||||
if (isset($Block['interrupted']))
|
||||
{
|
||||
$Block['markup'] .= "\n";
|
||||
|
||||
unset($Block['interrupted']);
|
||||
}
|
||||
|
||||
$Block['markup'] .= "\n".$Line['body'];
|
||||
|
||||
return $Block;
|
||||
|
@ -1043,7 +1034,7 @@ class Parsedown
|
|||
# ~
|
||||
#
|
||||
|
||||
public function line($text)
|
||||
public function line($text, $nonNestables=array())
|
||||
{
|
||||
$markup = '';
|
||||
|
||||
|
@ -1059,6 +1050,13 @@ class Parsedown
|
|||
|
||||
foreach ($this->InlineTypes[$marker] as $inlineType)
|
||||
{
|
||||
# check to see if the current inline type is nestable in the current context
|
||||
|
||||
if ( ! empty($nonNestables) and in_array($inlineType, $nonNestables))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
$Inline = $this->{'inline'.$inlineType}($Excerpt);
|
||||
|
||||
if ( ! isset($Inline))
|
||||
|
@ -1080,6 +1078,13 @@ class Parsedown
|
|||
$Inline['position'] = $markerPosition;
|
||||
}
|
||||
|
||||
# cause the new element to 'inherit' our non nestables
|
||||
|
||||
foreach ($nonNestables as $non_nestable)
|
||||
{
|
||||
$Inline['element']['nonNestables'][] = $non_nestable;
|
||||
}
|
||||
|
||||
# the text that comes before the inline
|
||||
$unmarkedText = substr($text, 0, $Inline['position']);
|
||||
|
||||
|
@ -1120,7 +1125,6 @@ class Parsedown
|
|||
if (preg_match('/^('.$marker.'+)[ ]*(.+?)[ ]*(?<!'.$marker.')\1(?!'.$marker.')/s', $Excerpt['text'], $matches))
|
||||
{
|
||||
$text = $matches[2];
|
||||
$text = htmlspecialchars($text, ENT_NOQUOTES, 'UTF-8');
|
||||
$text = preg_replace("/[ ]*\n/", ' ', $text);
|
||||
|
||||
return array(
|
||||
|
@ -1135,8 +1139,14 @@ class Parsedown
|
|||
|
||||
protected function inlineEmailTag($Excerpt)
|
||||
{
|
||||
if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<((mailto:)?\S+?@\S+?)>/i', $Excerpt['text'], $matches))
|
||||
{
|
||||
$hostnameLabel = '[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?';
|
||||
|
||||
$commonMarkEmail = '[a-zA-Z0-9.!#$%&\'*+\/=?^_`{|}~-]++@'
|
||||
. $hostnameLabel . '(?:\.' . $hostnameLabel . ')*';
|
||||
|
||||
if (strpos($Excerpt['text'], '>') !== false
|
||||
and preg_match("/^<((mailto:)?$commonMarkEmail)>/i", $Excerpt['text'], $matches)
|
||||
){
|
||||
$url = $matches[1];
|
||||
|
||||
if ( ! isset($matches[2]))
|
||||
|
@ -1239,6 +1249,7 @@ class Parsedown
|
|||
$Element = array(
|
||||
'name' => 'a',
|
||||
'handler' => 'line',
|
||||
'nonNestables' => array('Url', 'Link'),
|
||||
'text' => null,
|
||||
'attributes' => array(
|
||||
'href' => null,
|
||||
|
@ -1250,7 +1261,7 @@ class Parsedown
|
|||
|
||||
$remainder = $Excerpt['text'];
|
||||
|
||||
if (preg_match('/\[((?:[^][]|(?R))*)\]/', $remainder, $matches))
|
||||
if (preg_match('/\[((?:[^][]++|(?R))*+)\]/', $remainder, $matches))
|
||||
{
|
||||
$Element['text'] = $matches[1];
|
||||
|
||||
|
@ -1263,7 +1274,7 @@ class Parsedown
|
|||
return;
|
||||
}
|
||||
|
||||
if (preg_match('/^[(]((?:[^ ()]|[(][^ )]+[)])+)(?:[ ]+("[^"]*"|\'[^\']*\'))?[)]/', $remainder, $matches))
|
||||
if (preg_match('/^[(]\s*+((?:[^ ()]++|[(][^ )]+[)])++)(?:[ ]+("[^"]*"|\'[^\']*\'))?\s*[)]/', $remainder, $matches))
|
||||
{
|
||||
$Element['attributes']['href'] = $matches[1];
|
||||
|
||||
|
@ -1299,8 +1310,6 @@ class Parsedown
|
|||
$Element['attributes']['title'] = $Definition['title'];
|
||||
}
|
||||
|
||||
$Element['attributes']['href'] = str_replace(array('&', '<'), array('&', '<'), $Element['attributes']['href']);
|
||||
|
||||
return array(
|
||||
'extent' => $extent,
|
||||
'element' => $Element,
|
||||
|
@ -1309,12 +1318,12 @@ class Parsedown
|
|||
|
||||
protected function inlineMarkup($Excerpt)
|
||||
{
|
||||
if ($this->markupEscaped or strpos($Excerpt['text'], '>') === false)
|
||||
if ($this->markupEscaped or $this->safeMode or strpos($Excerpt['text'], '>') === false)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if ($Excerpt['text'][1] === '/' and preg_match('/^<\/\w*[ ]*>/s', $Excerpt['text'], $matches))
|
||||
if ($Excerpt['text'][1] === '/' and preg_match('/^<\/\w[\w-]*[ ]*>/s', $Excerpt['text'], $matches))
|
||||
{
|
||||
return array(
|
||||
'markup' => $matches[0],
|
||||
|
@ -1330,7 +1339,7 @@ class Parsedown
|
|||
);
|
||||
}
|
||||
|
||||
if ($Excerpt['text'][1] !== ' ' and preg_match('/^<\w*(?:[ ]*'.$this->regexHtmlAttribute.')*[ ]*\/?>/s', $Excerpt['text'], $matches))
|
||||
if ($Excerpt['text'][1] !== ' ' and preg_match('/^<\w[\w-]*(?:[ ]*'.$this->regexHtmlAttribute.')*[ ]*\/?>/s', $Excerpt['text'], $matches))
|
||||
{
|
||||
return array(
|
||||
'markup' => $matches[0],
|
||||
|
@ -1389,14 +1398,16 @@ class Parsedown
|
|||
|
||||
if (preg_match('/\bhttps?:[\/]{2}[^\s<]+\b\/*/ui', $Excerpt['context'], $matches, PREG_OFFSET_CAPTURE))
|
||||
{
|
||||
$url = $matches[0][0];
|
||||
|
||||
$Inline = array(
|
||||
'extent' => strlen($matches[0][0]),
|
||||
'position' => $matches[0][1],
|
||||
'element' => array(
|
||||
'name' => 'a',
|
||||
'text' => $matches[0][0],
|
||||
'text' => $url,
|
||||
'attributes' => array(
|
||||
'href' => $matches[0][0],
|
||||
'href' => $url,
|
||||
),
|
||||
),
|
||||
);
|
||||
|
@ -1409,7 +1420,7 @@ class Parsedown
|
|||
{
|
||||
if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<(\w+:\/{2}[^ >]+)>/i', $Excerpt['text'], $matches))
|
||||
{
|
||||
$url = str_replace(array('&', '<'), array('&', '<'), $matches[1]);
|
||||
$url = $matches[1];
|
||||
|
||||
return array(
|
||||
'extent' => strlen($matches[0]),
|
||||
|
@ -1447,37 +1458,74 @@ class Parsedown
|
|||
|
||||
protected function element(array $Element)
|
||||
{
|
||||
$markup = '<'.$Element['name'];
|
||||
|
||||
if (isset($Element['attributes']))
|
||||
if ($this->safeMode)
|
||||
{
|
||||
foreach ($Element['attributes'] as $name => $value)
|
||||
{
|
||||
if ($value === null)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
$Element = $this->sanitiseElement($Element);
|
||||
}
|
||||
|
||||
$markup .= ' '.$name.'="'.$value.'"';
|
||||
$hasName = isset($Element['name']);
|
||||
|
||||
$markup = '';
|
||||
|
||||
if ($hasName)
|
||||
{
|
||||
$markup .= '<'.$Element['name'];
|
||||
|
||||
if (isset($Element['attributes']))
|
||||
{
|
||||
foreach ($Element['attributes'] as $name => $value)
|
||||
{
|
||||
if ($value === null)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
$markup .= ' '.$name.'="'.self::escape($value).'"';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$permitRawHtml = false;
|
||||
|
||||
if (isset($Element['text']))
|
||||
{
|
||||
$markup .= '>';
|
||||
$text = $Element['text'];
|
||||
}
|
||||
// very strongly consider an alternative if you're writing an
|
||||
// extension
|
||||
elseif (isset($Element['rawHtml']))
|
||||
{
|
||||
$text = $Element['rawHtml'];
|
||||
|
||||
$allowRawHtmlInSafeMode = isset($Element['allowRawHtmlInSafeMode']) && $Element['allowRawHtmlInSafeMode'];
|
||||
$permitRawHtml = !$this->safeMode || $allowRawHtmlInSafeMode;
|
||||
}
|
||||
|
||||
if (isset($text))
|
||||
{
|
||||
$markup .= $hasName ? '>' : '';
|
||||
|
||||
if (!isset($Element['nonNestables']))
|
||||
{
|
||||
$Element['nonNestables'] = array();
|
||||
}
|
||||
|
||||
if (isset($Element['handler']))
|
||||
{
|
||||
$markup .= $this->{$Element['handler']}($Element['text']);
|
||||
$markup .= $this->{$Element['handler']}($text, $Element['nonNestables']);
|
||||
}
|
||||
elseif (!$permitRawHtml)
|
||||
{
|
||||
$markup .= self::escape($text, true);
|
||||
}
|
||||
else
|
||||
{
|
||||
$markup .= $Element['text'];
|
||||
$markup .= $text;
|
||||
}
|
||||
|
||||
$markup .= '</'.$Element['name'].'>';
|
||||
$markup .= $hasName ? '</'.$Element['name'].'>' : '';
|
||||
}
|
||||
else
|
||||
elseif ($hasName)
|
||||
{
|
||||
$markup .= ' />';
|
||||
}
|
||||
|
@ -1531,10 +1579,77 @@ class Parsedown
|
|||
return $markup;
|
||||
}
|
||||
|
||||
protected function sanitiseElement(array $Element)
|
||||
{
|
||||
static $goodAttribute = '/^[a-zA-Z0-9][a-zA-Z0-9-_]*+$/';
|
||||
static $safeUrlNameToAtt = array(
|
||||
'a' => 'href',
|
||||
'img' => 'src',
|
||||
);
|
||||
|
||||
if (isset($safeUrlNameToAtt[$Element['name']]))
|
||||
{
|
||||
$Element = $this->filterUnsafeUrlInAttribute($Element, $safeUrlNameToAtt[$Element['name']]);
|
||||
}
|
||||
|
||||
if ( ! empty($Element['attributes']))
|
||||
{
|
||||
foreach ($Element['attributes'] as $att => $val)
|
||||
{
|
||||
# filter out badly parsed attribute
|
||||
if ( ! preg_match($goodAttribute, $att))
|
||||
{
|
||||
unset($Element['attributes'][$att]);
|
||||
}
|
||||
# dump onevent attribute
|
||||
elseif (self::striAtStart($att, 'on'))
|
||||
{
|
||||
unset($Element['attributes'][$att]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $Element;
|
||||
}
|
||||
|
||||
protected function filterUnsafeUrlInAttribute(array $Element, $attribute)
|
||||
{
|
||||
foreach ($this->safeLinksWhitelist as $scheme)
|
||||
{
|
||||
if (self::striAtStart($Element['attributes'][$attribute], $scheme))
|
||||
{
|
||||
return $Element;
|
||||
}
|
||||
}
|
||||
|
||||
$Element['attributes'][$attribute] = str_replace(':', '%3A', $Element['attributes'][$attribute]);
|
||||
|
||||
return $Element;
|
||||
}
|
||||
|
||||
#
|
||||
# Static Methods
|
||||
#
|
||||
|
||||
protected static function escape($text, $allowQuotes = false)
|
||||
{
|
||||
return htmlspecialchars($text, $allowQuotes ? ENT_NOQUOTES : ENT_QUOTES, 'UTF-8');
|
||||
}
|
||||
|
||||
protected static function striAtStart($string, $needle)
|
||||
{
|
||||
$len = strlen($needle);
|
||||
|
||||
if ($len > strlen($string))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
else
|
||||
{
|
||||
return strtolower(substr($string, 0, $len)) === strtolower($needle);
|
||||
}
|
||||
}
|
||||
|
||||
static function instance($name = 'default')
|
||||
{
|
||||
if (isset(self::$instances[$name]))
|
||||
|
@ -1585,10 +1700,10 @@ class Parsedown
|
|||
'b', 'em', 'big', 'cite', 'small', 'spacer', 'listing',
|
||||
'i', 'rp', 'del', 'code', 'strike', 'marquee',
|
||||
'q', 'rt', 'ins', 'font', 'strong',
|
||||
's', 'tt', 'sub', 'mark',
|
||||
'u', 'xm', 'sup', 'nobr',
|
||||
'var', 'ruby',
|
||||
'wbr', 'span',
|
||||
'time',
|
||||
's', 'tt', 'kbd', 'mark',
|
||||
'u', 'xm', 'sub', 'nobr',
|
||||
'sup', 'ruby',
|
||||
'var', 'span',
|
||||
'wbr', 'time',
|
||||
);
|
||||
}
|
||||
|
|
38
README.md
38
README.md
|
@ -1,4 +1,4 @@
|
|||
> You might also like [Caret](http://caret.io?ref=parsedown) - our Markdown editor for Mac / Windows / Linux.
|
||||
> I also make [Caret](https://caret.io?ref=parsedown) - a Markdown editor for Mac and PC.
|
||||
|
||||
## Parsedown
|
||||
|
||||
|
@ -15,6 +15,7 @@ Better Markdown Parser in PHP
|
|||
### Features
|
||||
|
||||
* One File
|
||||
* No Dependencies
|
||||
* Super Fast
|
||||
* Extensible
|
||||
* [GitHub flavored](https://help.github.com/articles/github-flavored-markdown)
|
||||
|
@ -31,15 +32,46 @@ Include `Parsedown.php` or install [the composer package](https://packagist.org/
|
|||
$Parsedown = new Parsedown();
|
||||
|
||||
echo $Parsedown->text('Hello _Parsedown_!'); # prints: <p>Hello <em>Parsedown</em>!</p>
|
||||
// you can also parse inline markdown only
|
||||
echo $Parsedown->line('Hello _Parsedown_!'); # prints: Hello <em>Parsedown</em>!
|
||||
```
|
||||
|
||||
More examples in [the wiki](https://github.com/erusev/parsedown/wiki/) and in [this video tutorial](http://youtu.be/wYZBY8DEikI).
|
||||
|
||||
### Security
|
||||
|
||||
Parsedown is capable of escaping user-input within the HTML that it generates. Additionally Parsedown will apply sanitisation to additional scripting vectors (such as scripting link destinations) that are introduced by the markdown syntax itself.
|
||||
|
||||
To tell Parsedown that it is processing untrusted user-input, use the following:
|
||||
```php
|
||||
$parsedown = new Parsedown;
|
||||
$parsedown->setSafeMode(true);
|
||||
```
|
||||
|
||||
If instead, you wish to allow HTML within untrusted user-input, but still want output to be free from XSS it is recommended that you make use of a HTML sanitiser that allows HTML tags to be whitelisted, like [HTML Purifier](http://htmlpurifier.org/).
|
||||
|
||||
In both cases you should strongly consider employing defence-in-depth measures, like [deploying a Content-Security-Policy](https://scotthelme.co.uk/content-security-policy-an-introduction/) (a browser security feature) so that your page is likely to be safe even if an attacker finds a vulnerability in one of the first lines of defence above.
|
||||
|
||||
#### Security of Parsedown Extensions
|
||||
|
||||
Safe mode does not necessarily yield safe results when using extensions to Parsedown. Extensions should be evaluated on their own to determine their specific safety against XSS.
|
||||
|
||||
### Escaping HTML
|
||||
> ⚠️ **WARNING:** This method isn't safe from XSS!
|
||||
|
||||
If you wish to escape HTML **in trusted input**, you can use the following:
|
||||
```php
|
||||
$parsedown = new Parsedown;
|
||||
$parsedown->setMarkupEscaped(true);
|
||||
```
|
||||
|
||||
Beware that this still allows users to insert unsafe scripting vectors, such as links like `[xss](javascript:alert%281%29)`.
|
||||
|
||||
### Questions
|
||||
|
||||
**How does Parsedown work?**
|
||||
|
||||
It tries to read Markdown like a human. First, it looks at the lines. It’s interested in how the lines start. This helps it recognise blocks. It knows, for example, that if a line start with a `-` then it perhaps belong to a list. Once it recognises the blocks, it continues to the content. As it reads, it watches out for special characters. This helps it recognise inline elements (or inlines).
|
||||
It tries to read Markdown like a human. First, it looks at the lines. It’s interested in how the lines start. This helps it recognise blocks. It knows, for example, that if a line starts with a `-` then perhaps it belongs to a list. Once it recognises the blocks, it continues to the content. As it reads, it watches out for special characters. This helps it recognise inline elements (or inlines).
|
||||
|
||||
We call this approach "line based". We believe that Parsedown is the first Markdown parser to use it. Since the release of Parsedown, other developers have used the same approach to develop other Markdown parsers in PHP and in other languages.
|
||||
|
||||
|
@ -49,7 +81,7 @@ It passes most of the CommonMark tests. Most of the tests that don't pass deal w
|
|||
|
||||
**Who uses it?**
|
||||
|
||||
[phpDocumentor](http://www.phpdoc.org/), [October CMS](http://octobercms.com/), [Bolt CMS](http://bolt.cm/), [Kirby CMS](http://getkirby.com/), [Grav CMS](http://getgrav.org/), [Statamic CMS](http://www.statamic.com/), [Herbie CMS](http://www.getherbie.org/), [RaspberryPi.org](http://www.raspberrypi.org/) and [more](https://packagist.org/packages/erusev/parsedown/dependents).
|
||||
[Laravel Framework](https://laravel.com/), [Bolt CMS](http://bolt.cm/), [Grav CMS](http://getgrav.org/), [Herbie CMS](http://www.getherbie.org/), [Kirby CMS](http://getkirby.com/), [October CMS](http://octobercms.com/), [Pico CMS](http://picocms.org), [Statamic CMS](http://www.statamic.com/), [phpDocumentor](http://www.phpdoc.org/), [RaspberryPi.org](http://www.raspberrypi.org/), [Symfony demo](https://github.com/symfony/symfony-demo) and [more](https://packagist.org/packages/erusev/parsedown/dependents).
|
||||
|
||||
**How can I help?**
|
||||
|
||||
|
|
|
@ -13,9 +13,21 @@
|
|||
}
|
||||
],
|
||||
"require": {
|
||||
"php": ">=5.3.0"
|
||||
"php": ">=5.3.0",
|
||||
"ext-mbstring": "*"
|
||||
},
|
||||
"require-dev": {
|
||||
"phpunit/phpunit": "^4.8.35"
|
||||
},
|
||||
"autoload": {
|
||||
"psr-0": {"Parsedown": ""}
|
||||
},
|
||||
"autoload-dev": {
|
||||
"psr-0": {
|
||||
"TestParsedown": "test/",
|
||||
"ParsedownTest": "test/",
|
||||
"CommonMarkTest": "test/",
|
||||
"CommonMarkTestWeak": "test/"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<phpunit bootstrap="test/bootstrap.php" colors="true">
|
||||
<phpunit bootstrap="vendor/autoload.php" colors="true">
|
||||
<testsuites>
|
||||
<testsuite>
|
||||
<file>test/ParsedownTest.php</file>
|
||||
</testsuite>
|
||||
</testsuites>
|
||||
</phpunit>
|
||||
</phpunit>
|
||||
|
|
|
@ -1,74 +0,0 @@
|
|||
<?php
|
||||
|
||||
/**
|
||||
* Test Parsedown against the CommonMark spec.
|
||||
*
|
||||
* Some code based on the original JavaScript test runner by jgm.
|
||||
*
|
||||
* @link http://commonmark.org/ CommonMark
|
||||
* @link http://git.io/8WtRvQ JavaScript test runner
|
||||
*/
|
||||
class CommonMarkTest extends PHPUnit_Framework_TestCase
|
||||
{
|
||||
const SPEC_URL = 'https://raw.githubusercontent.com/jgm/stmd/master/spec.txt';
|
||||
|
||||
/**
|
||||
* @dataProvider data
|
||||
* @param $section
|
||||
* @param $markdown
|
||||
* @param $expectedHtml
|
||||
*/
|
||||
function test_($section, $markdown, $expectedHtml)
|
||||
{
|
||||
$Parsedown = new Parsedown();
|
||||
$Parsedown->setUrlsLinked(false);
|
||||
|
||||
$actualHtml = $Parsedown->text($markdown);
|
||||
$actualHtml = $this->normalizeMarkup($actualHtml);
|
||||
|
||||
$this->assertEquals($expectedHtml, $actualHtml);
|
||||
}
|
||||
|
||||
function data()
|
||||
{
|
||||
$spec = file_get_contents(self::SPEC_URL);
|
||||
$spec = strstr($spec, '<!-- END TESTS -->', true);
|
||||
|
||||
$tests = array();
|
||||
$currentSection = '';
|
||||
|
||||
preg_replace_callback(
|
||||
'/^\.\n([\s\S]*?)^\.\n([\s\S]*?)^\.$|^#{1,6} *(.*)$/m',
|
||||
function($matches) use ( & $tests, & $currentSection, & $testCount) {
|
||||
if (isset($matches[3]) and $matches[3]) {
|
||||
$currentSection = $matches[3];
|
||||
} else {
|
||||
$testCount++;
|
||||
$markdown = $matches[1];
|
||||
$markdown = preg_replace('/→/', "\t", $markdown);
|
||||
$expectedHtml = $matches[2];
|
||||
$expectedHtml = $this->normalizeMarkup($expectedHtml);
|
||||
$tests []= array(
|
||||
$currentSection, # section
|
||||
$markdown, # markdown
|
||||
$expectedHtml, # html
|
||||
);
|
||||
}
|
||||
},
|
||||
$spec
|
||||
);
|
||||
|
||||
return $tests;
|
||||
}
|
||||
|
||||
private function normalizeMarkup($markup)
|
||||
{
|
||||
$markup = preg_replace("/\n+/", "\n", $markup);
|
||||
$markup = preg_replace('/^\s+/m', '', $markup);
|
||||
$markup = preg_replace('/^((?:<[\w]+>)+)\n/m', '$1', $markup);
|
||||
$markup = preg_replace('/\n((?:<\/[\w]+>)+)$/m', '$1', $markup);
|
||||
$markup = trim($markup);
|
||||
|
||||
return $markup;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,71 @@
|
|||
<?php
|
||||
|
||||
/**
|
||||
* Test Parsedown against the CommonMark spec
|
||||
*
|
||||
* @link http://commonmark.org/ CommonMark
|
||||
*/
|
||||
class CommonMarkTestStrict extends PHPUnit_Framework_TestCase
|
||||
{
|
||||
const SPEC_URL = 'https://raw.githubusercontent.com/jgm/CommonMark/master/spec.txt';
|
||||
|
||||
protected $parsedown;
|
||||
|
||||
protected function setUp()
|
||||
{
|
||||
$this->parsedown = new TestParsedown();
|
||||
$this->parsedown->setUrlsLinked(false);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data
|
||||
* @param $id
|
||||
* @param $section
|
||||
* @param $markdown
|
||||
* @param $expectedHtml
|
||||
*/
|
||||
public function testExample($id, $section, $markdown, $expectedHtml)
|
||||
{
|
||||
$actualHtml = $this->parsedown->text($markdown);
|
||||
$this->assertEquals($expectedHtml, $actualHtml);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array
|
||||
*/
|
||||
public function data()
|
||||
{
|
||||
$spec = file_get_contents(self::SPEC_URL);
|
||||
if ($spec === false) {
|
||||
$this->fail('Unable to load CommonMark spec from ' . self::SPEC_URL);
|
||||
}
|
||||
|
||||
$spec = str_replace("\r\n", "\n", $spec);
|
||||
$spec = strstr($spec, '<!-- END TESTS -->', true);
|
||||
|
||||
$matches = array();
|
||||
preg_match_all('/^`{32} example\n((?s).*?)\n\.\n(?:|((?s).*?)\n)`{32}$|^#{1,6} *(.*?)$/m', $spec, $matches, PREG_SET_ORDER);
|
||||
|
||||
$data = array();
|
||||
$currentId = 0;
|
||||
$currentSection = '';
|
||||
foreach ($matches as $match) {
|
||||
if (isset($match[3])) {
|
||||
$currentSection = $match[3];
|
||||
} else {
|
||||
$currentId++;
|
||||
$markdown = str_replace('→', "\t", $match[1]);
|
||||
$expectedHtml = isset($match[2]) ? str_replace('→', "\t", $match[2]) : '';
|
||||
|
||||
$data[$currentId] = array(
|
||||
'id' => $currentId,
|
||||
'section' => $currentSection,
|
||||
'markdown' => $markdown,
|
||||
'expectedHtml' => $expectedHtml
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
return $data;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,63 @@
|
|||
<?php
|
||||
require_once(__DIR__ . '/CommonMarkTestStrict.php');
|
||||
|
||||
/**
|
||||
* Test Parsedown against the CommonMark spec, but less aggressive
|
||||
*
|
||||
* The resulting HTML markup is cleaned up before comparison, so examples
|
||||
* which would normally fail due to actually invisible differences (e.g.
|
||||
* superfluous whitespaces), don't fail. However, cleanup relies on block
|
||||
* element detection. The detection doesn't work correctly when a element's
|
||||
* `display` CSS property is manipulated. According to that this test is only
|
||||
* a interim solution on Parsedown's way to full CommonMark compatibility.
|
||||
*
|
||||
* @link http://commonmark.org/ CommonMark
|
||||
*/
|
||||
class CommonMarkTestWeak extends CommonMarkTestStrict
|
||||
{
|
||||
protected $textLevelElementRegex;
|
||||
|
||||
protected function setUp()
|
||||
{
|
||||
parent::setUp();
|
||||
|
||||
$textLevelElements = $this->parsedown->getTextLevelElements();
|
||||
array_walk($textLevelElements, function (&$element) {
|
||||
$element = preg_quote($element, '/');
|
||||
});
|
||||
$this->textLevelElementRegex = '\b(?:' . implode('|', $textLevelElements) . ')\b';
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data
|
||||
* @param $id
|
||||
* @param $section
|
||||
* @param $markdown
|
||||
* @param $expectedHtml
|
||||
*/
|
||||
public function testExample($id, $section, $markdown, $expectedHtml)
|
||||
{
|
||||
$expectedHtml = $this->cleanupHtml($expectedHtml);
|
||||
|
||||
$actualHtml = $this->parsedown->text($markdown);
|
||||
$actualHtml = $this->cleanupHtml($actualHtml);
|
||||
|
||||
$this->assertEquals($expectedHtml, $actualHtml);
|
||||
}
|
||||
|
||||
protected function cleanupHtml($markup)
|
||||
{
|
||||
// invisible whitespaces at the beginning and end of block elements
|
||||
// however, whitespaces at the beginning of <pre> elements do matter
|
||||
$markup = preg_replace(
|
||||
array(
|
||||
'/(<(?!(?:' . $this->textLevelElementRegex . '|\bpre\b))\w+\b[^>]*>(?:<' . $this->textLevelElementRegex . '[^>]*>)*)\s+/s',
|
||||
'/\s+((?:<\/' . $this->textLevelElementRegex . '>)*<\/(?!' . $this->textLevelElementRegex . ')\w+\b>)/s'
|
||||
),
|
||||
'$1',
|
||||
$markup
|
||||
);
|
||||
|
||||
return $markup;
|
||||
}
|
||||
}
|
|
@ -1,6 +1,9 @@
|
|||
<?php
|
||||
require 'SampleExtensions.php';
|
||||
|
||||
class ParsedownTest extends PHPUnit_Framework_TestCase
|
||||
use PHPUnit\Framework\TestCase;
|
||||
|
||||
class ParsedownTest extends TestCase
|
||||
{
|
||||
final function __construct($name = null, array $data = array(), $dataName = '')
|
||||
{
|
||||
|
@ -10,7 +13,8 @@ class ParsedownTest extends PHPUnit_Framework_TestCase
|
|||
parent::__construct($name, $data, $dataName);
|
||||
}
|
||||
|
||||
private $dirs, $Parsedown;
|
||||
private $dirs;
|
||||
protected $Parsedown;
|
||||
|
||||
/**
|
||||
* @return array
|
||||
|
@ -27,7 +31,7 @@ class ParsedownTest extends PHPUnit_Framework_TestCase
|
|||
*/
|
||||
protected function initParsedown()
|
||||
{
|
||||
$Parsedown = new Parsedown();
|
||||
$Parsedown = new TestParsedown();
|
||||
|
||||
return $Parsedown;
|
||||
}
|
||||
|
@ -46,11 +50,47 @@ class ParsedownTest extends PHPUnit_Framework_TestCase
|
|||
$expectedMarkup = str_replace("\r\n", "\n", $expectedMarkup);
|
||||
$expectedMarkup = str_replace("\r", "\n", $expectedMarkup);
|
||||
|
||||
$this->Parsedown->setSafeMode(substr($test, 0, 3) === 'xss');
|
||||
|
||||
$actualMarkup = $this->Parsedown->text($markdown);
|
||||
|
||||
$this->assertEquals($expectedMarkup, $actualMarkup);
|
||||
}
|
||||
|
||||
function testRawHtml()
|
||||
{
|
||||
$markdown = "```php\nfoobar\n```";
|
||||
$expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
|
||||
$expectedSafeMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
|
||||
|
||||
$unsafeExtension = new UnsafeExtension;
|
||||
$actualMarkup = $unsafeExtension->text($markdown);
|
||||
|
||||
$this->assertEquals($expectedMarkup, $actualMarkup);
|
||||
|
||||
$unsafeExtension->setSafeMode(true);
|
||||
$actualSafeMarkup = $unsafeExtension->text($markdown);
|
||||
|
||||
$this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
|
||||
}
|
||||
|
||||
function testTrustDelegatedRawHtml()
|
||||
{
|
||||
$markdown = "```php\nfoobar\n```";
|
||||
$expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
|
||||
$expectedSafeMarkup = $expectedMarkup;
|
||||
|
||||
$unsafeExtension = new TrustDelegatedExtension;
|
||||
$actualMarkup = $unsafeExtension->text($markdown);
|
||||
|
||||
$this->assertEquals($expectedMarkup, $actualMarkup);
|
||||
|
||||
$unsafeExtension->setSafeMode(true);
|
||||
$actualSafeMarkup = $unsafeExtension->text($markdown);
|
||||
|
||||
$this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
|
||||
}
|
||||
|
||||
function data()
|
||||
{
|
||||
$data = array();
|
||||
|
@ -132,15 +172,14 @@ color: red;
|
|||
<p>comment</p>
|
||||
<p><!-- html comment --></p>
|
||||
EXPECTED_HTML;
|
||||
$parsedownWithNoMarkup = new Parsedown();
|
||||
|
||||
$parsedownWithNoMarkup = new TestParsedown();
|
||||
$parsedownWithNoMarkup->setMarkupEscaped(true);
|
||||
$this->assertEquals($expectedHtml, $parsedownWithNoMarkup->text($markdownWithHtml));
|
||||
}
|
||||
|
||||
public function testLateStaticBinding()
|
||||
{
|
||||
include 'test/TestParsedown.php';
|
||||
|
||||
$parsedown = Parsedown::instance();
|
||||
$this->assertInstanceOf('Parsedown', $parsedown);
|
||||
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
<?php
|
||||
|
||||
class UnsafeExtension extends Parsedown
|
||||
{
|
||||
protected function blockFencedCodeComplete($Block)
|
||||
{
|
||||
$text = $Block['element']['text']['text'];
|
||||
unset($Block['element']['text']['text']);
|
||||
|
||||
// WARNING: There is almost always a better way of doing things!
|
||||
//
|
||||
// This example is one of them, unsafe behaviour is NOT needed here.
|
||||
// Only use this if you trust the input and have no idea what
|
||||
// the output HTML will look like (e.g. using an external parser).
|
||||
$Block['element']['text']['rawHtml'] = "<p>$text</p>";
|
||||
|
||||
return $Block;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
class TrustDelegatedExtension extends Parsedown
|
||||
{
|
||||
protected function blockFencedCodeComplete($Block)
|
||||
{
|
||||
$text = $Block['element']['text']['text'];
|
||||
unset($Block['element']['text']['text']);
|
||||
|
||||
// WARNING: There is almost always a better way of doing things!
|
||||
//
|
||||
// This behaviour is NOT needed in the demonstrated case.
|
||||
// Only use this if you are sure that the result being added into
|
||||
// rawHtml is safe.
|
||||
// (e.g. using an external parser with escaping capabilities).
|
||||
$Block['element']['text']['rawHtml'] = "<p>$text</p>";
|
||||
$Block['element']['text']['allowRawHtmlInSafeMode'] = true;
|
||||
|
||||
return $Block;
|
||||
}
|
||||
}
|
|
@ -2,4 +2,8 @@
|
|||
|
||||
class TestParsedown extends Parsedown
|
||||
{
|
||||
public function getTextLevelElements()
|
||||
{
|
||||
return $this->textLevelElements;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,3 +0,0 @@
|
|||
<?php
|
||||
|
||||
include 'Parsedown.php';
|
|
@ -1 +1,2 @@
|
|||
<p>my email is <a href="mailto:me@example.com">me@example.com</a></p>
|
||||
<p>my email is <a href="mailto:me@example.com">me@example.com</a></p>
|
||||
<p>html tags shouldn't start an email autolink <strong>first.last@example.com</strong></p>
|
|
@ -1 +1,3 @@
|
|||
my email is <me@example.com>
|
||||
my email is <me@example.com>
|
||||
|
||||
html tags shouldn't start an email autolink <strong>first.last@example.com</strong>
|
|
@ -3,4 +3,9 @@
|
|||
$message = 'fenced code block';
|
||||
echo $message;</code></pre>
|
||||
<pre><code>tilde</code></pre>
|
||||
<pre><code class="language-php">echo 'language identifier';</code></pre>
|
||||
<pre><code class="language-php">echo 'language identifier';</code></pre>
|
||||
<pre><code class="language-c#">echo 'language identifier with non words';</code></pre>
|
||||
<pre><code class="language-html+php"><?php
|
||||
echo "Hello World";
|
||||
?>
|
||||
<a href="http://auraphp.com" >Aura Project</a></code></pre>
|
|
@ -11,4 +11,15 @@ tilde
|
|||
|
||||
```php
|
||||
echo 'language identifier';
|
||||
```
|
||||
|
||||
```c#
|
||||
echo 'language identifier with non words';
|
||||
```
|
||||
|
||||
```html+php
|
||||
<?php
|
||||
echo "Hello World";
|
||||
?>
|
||||
<a href="http://auraphp.com" >Aura Project</a>
|
||||
```
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,3 @@
|
|||
<div>Markup</div>
|
||||
_No markdown_ without blank line for **strict** compliance with CommonMark.
|
||||
<p><strong>Markdown</strong></p>
|
|
@ -0,0 +1,4 @@
|
|||
<div>Markup</div>
|
||||
_No markdown_ without blank line for **strict** compliance with CommonMark.
|
||||
|
||||
**Markdown**
|
|
@ -0,0 +1,4 @@
|
|||
<div>One markup on
|
||||
two lines</div>
|
||||
_No markdown_
|
||||
<p><strong>Markdown</strong></p>
|
|
@ -0,0 +1,5 @@
|
|||
<div>One markup on
|
||||
two lines</div>
|
||||
_No markdown_
|
||||
|
||||
**Markdown**
|
|
@ -0,0 +1,3 @@
|
|||
<div><p>Stripped markup</p></div>
|
||||
_No markdown_
|
||||
<p><strong>Markdown</strong></p>
|
|
@ -0,0 +1,4 @@
|
|||
<div><p>Stripped markup</p></div>
|
||||
_No markdown_
|
||||
|
||||
**Markdown**
|
|
@ -0,0 +1,3 @@
|
|||
<div>First markup</div><p>and second markup on the same line.</p>
|
||||
_No markdown_
|
||||
<p><strong>Markdown</strong></p>
|
|
@ -0,0 +1,4 @@
|
|||
<div>First markup</div><p>and second markup on the same line.</p>
|
||||
_No markdown_
|
||||
|
||||
**Markdown**
|
|
@ -0,0 +1,4 @@
|
|||
<div>First markup</div><p>and partial markup
|
||||
on two lines.</p>
|
||||
_No markdown_
|
||||
<p><strong>Markdown</strong></p>
|
|
@ -0,0 +1,5 @@
|
|||
<div>First markup</div><p>and partial markup
|
||||
on two lines.</p>
|
||||
_No markdown_
|
||||
|
||||
**Markdown**
|
|
@ -0,0 +1,4 @@
|
|||
<div><p>Stripped markup
|
||||
on two lines</p></div>
|
||||
_No markdown_
|
||||
<p><strong>Markdown</strong></p>
|
|
@ -0,0 +1,5 @@
|
|||
<div><p>Stripped markup
|
||||
on two lines</p></div>
|
||||
_No markdown_
|
||||
|
||||
**Markdown**
|
|
@ -0,0 +1,10 @@
|
|||
<ol>
|
||||
<li>
|
||||
<p>One
|
||||
First body copy</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>Two
|
||||
Last body copy</p>
|
||||
</li>
|
||||
</ol>
|
|
@ -0,0 +1,5 @@
|
|||
1. One
|
||||
First body copy
|
||||
|
||||
2. Two
|
||||
Last body copy
|
|
@ -8,5 +8,7 @@
|
|||
<li>
|
||||
<p>li</p>
|
||||
</li>
|
||||
<li>li</li>
|
||||
<li>
|
||||
<p>li</p>
|
||||
</li>
|
||||
</ul>
|
|
@ -1,12 +1,18 @@
|
|||
<hr>
|
||||
|
||||
paragraph
|
||||
<hr/>
|
||||
|
||||
paragraph
|
||||
<hr />
|
||||
|
||||
paragraph
|
||||
<hr class="foo" id="bar" />
|
||||
|
||||
paragraph
|
||||
<hr class="foo" id="bar"/>
|
||||
|
||||
paragraph
|
||||
<hr class="foo" id="bar" >
|
||||
|
||||
paragraph
|
|
@ -0,0 +1,12 @@
|
|||
<h1>trailing space</h1>
|
||||
<h2>trailing space</h2>
|
||||
<h1>leading and trailing space</h1>
|
||||
<h2>leading and trailing space</h2>
|
||||
<h1>1 leading space</h1>
|
||||
<h2>1 leading space</h2>
|
||||
<h1>3 leading spaces</h1>
|
||||
<h2>3 leading spaces</h2>
|
||||
<p>too many leading spaces
|
||||
==</p>
|
||||
<p>too many leading spaces
|
||||
--</p>
|
|
@ -0,0 +1,29 @@
|
|||
trailing space
|
||||
==
|
||||
|
||||
trailing space
|
||||
--
|
||||
|
||||
leading and trailing space
|
||||
==
|
||||
|
||||
leading and trailing space
|
||||
--
|
||||
|
||||
1 leading space
|
||||
==
|
||||
|
||||
1 leading space
|
||||
--
|
||||
|
||||
3 leading spaces
|
||||
==
|
||||
|
||||
3 leading spaces
|
||||
--
|
||||
|
||||
too many leading spaces
|
||||
==
|
||||
|
||||
too many leading spaces
|
||||
--
|
|
@ -2,6 +2,10 @@
|
|||
<li>
|
||||
<p>li</p>
|
||||
</li>
|
||||
<li>li</li>
|
||||
<li>li</li>
|
||||
<li>
|
||||
<p>li</p>
|
||||
</li>
|
||||
<li>
|
||||
<p>li</p>
|
||||
</li>
|
||||
</ul>
|
|
@ -1,8 +1,6 @@
|
|||
<div>
|
||||
line 1
|
||||
|
||||
line 2
|
||||
line 3
|
||||
|
||||
line 4
|
||||
<p>line 2
|
||||
line 3</p>
|
||||
<p>line 4</p>
|
||||
</div>
|
|
@ -2,7 +2,9 @@
|
|||
<li>
|
||||
<p>li</p>
|
||||
</li>
|
||||
<li>li</li>
|
||||
<li>
|
||||
<p>li</p>
|
||||
</li>
|
||||
</ul>
|
||||
<hr />
|
||||
<ul>
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
<p><a href="https://www.example.com"">xss</a></p>
|
||||
<p><img src="https://www.example.com"" alt="xss" /></p>
|
||||
<p><a href="https://www.example.com'">xss</a></p>
|
||||
<p><img src="https://www.example.com'" alt="xss" /></p>
|
||||
<p><img src="https://www.example.com" alt="xss"" /></p>
|
||||
<p><img src="https://www.example.com" alt="xss'" /></p>
|
|
@ -0,0 +1,11 @@
|
|||
[xss](https://www.example.com")
|
||||
|
||||
![xss](https://www.example.com")
|
||||
|
||||
[xss](https://www.example.com')
|
||||
|
||||
![xss](https://www.example.com')
|
||||
|
||||
![xss"](https://www.example.com)
|
||||
|
||||
![xss'](https://www.example.com)
|
|
@ -0,0 +1,16 @@
|
|||
<p><a href="javascript%3Aalert(1)">xss</a></p>
|
||||
<p><a href="javascript%3Aalert(1)">xss</a></p>
|
||||
<p><a href="javascript%3A//alert(1)">xss</a></p>
|
||||
<p><a href="javascript&colon;alert(1)">xss</a></p>
|
||||
<p><img src="javascript%3Aalert(1)" alt="xss" /></p>
|
||||
<p><img src="javascript%3Aalert(1)" alt="xss" /></p>
|
||||
<p><img src="javascript%3A//alert(1)" alt="xss" /></p>
|
||||
<p><img src="javascript&colon;alert(1)" alt="xss" /></p>
|
||||
<p><a href="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
|
||||
<p><a href="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
|
||||
<p><a href="data%3A//text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
|
||||
<p><a href="data&colon;text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">xss</a></p>
|
||||
<p><img src="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
|
||||
<p><img src="data%3Atext/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
|
||||
<p><img src="data%3A//text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
|
||||
<p><img src="data&colon;text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==" alt="xss" /></p>
|
|
@ -0,0 +1,31 @@
|
|||
[xss](javascript:alert(1))
|
||||
|
||||
[xss]( javascript:alert(1))
|
||||
|
||||
[xss](javascript://alert(1))
|
||||
|
||||
[xss](javascript:alert(1))
|
||||
|
||||
![xss](javascript:alert(1))
|
||||
|
||||
![xss]( javascript:alert(1))
|
||||
|
||||
![xss](javascript://alert(1))
|
||||
|
||||
![xss](javascript:alert(1))
|
||||
|
||||
[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
|
||||
|
||||
[xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
|
||||
|
||||
[xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
|
||||
|
||||
[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
|
||||
|
||||
![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
|
||||
|
||||
![xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
|
||||
|
||||
![xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
|
||||
|
||||
![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
|
|
@ -0,0 +1,7 @@
|
|||
<p><script>alert(1)</script></p>
|
||||
<p><script></p>
|
||||
<p>alert(1)</p>
|
||||
<p></script></p>
|
||||
<p><script>
|
||||
alert(1)
|
||||
</script></p>
|
|
@ -0,0 +1,12 @@
|
|||
<script>alert(1)</script>
|
||||
|
||||
<script>
|
||||
|
||||
alert(1)
|
||||
|
||||
</script>
|
||||
|
||||
|
||||
<script>
|
||||
alert(1)
|
||||
</script>
|
Loading…
Reference in New Issue