From 3fc54bc966caea29a633dba41ebb6728a917ee67 Mon Sep 17 00:00:00 2001
From: Aidan Woods
Date: Thu, 15 Mar 2018 19:46:03 +0000
Subject: [PATCH] Allow extension to "vouch" for raw HTML they produce Rename
"unsafeHtml" to "rawHtml"
---
Parsedown.php | 25 ++++++++++++++++++++-----
test/ParsedownTest.php | 21 +++++++++++++++++++--
test/SampleExtensions.php | 39 +++++++++++++++++++++++++++++++++++++++
test/UnsafeExtension.php | 19 -------------------
4 files changed, 78 insertions(+), 26 deletions(-)
create mode 100644 test/SampleExtensions.php
delete mode 100644 test/UnsafeExtension.php
diff --git a/Parsedown.php b/Parsedown.php
index 9558525..160594e 100644
--- a/Parsedown.php
+++ b/Parsedown.php
@@ -1488,18 +1488,33 @@ class Parsedown
}
}
- $unsafeHtml = false;
+ $permitRawHtml = false;
+
if (isset($Element['text']))
{
$text = $Element['text'];
}
// very strongly consider an alternative if you're writing an
// extension
- elseif (isset($Element['unsafeHtml']))
+ elseif (isset($Element['rawHtml']))
{
- $text = $Element['unsafeHtml'];
+ $text = $Element['rawHtml'];
- $unsafeHtml = true;
+ $allowRawHtmlInSafeMode = false;
+
+ if (isset($Element['allowRawHtmlInSafeMode']))
+ {
+ $allowRawHtmlInSafeMode = (true === $Element['allowRawHtmlInSafeMode']);
+ }
+
+ if ($this->safeMode !== true)
+ {
+ $permitRawHtml = true;
+ }
+ elseif ($this->safeMode and $allowRawHtmlInSafeMode)
+ {
+ $permitRawHtml = true;
+ }
}
if (isset($text))
@@ -1515,7 +1530,7 @@ class Parsedown
{
$markup .= $this->{$Element['handler']}($text, $Element['nonNestables']);
}
- elseif ($unsafeHtml !== true or $this->safeMode)
+ elseif ($permitRawHtml !== true)
{
$markup .= self::escape($text, true);
}
diff --git a/test/ParsedownTest.php b/test/ParsedownTest.php
index 8f3e6c8..cc0cc1d 100644
--- a/test/ParsedownTest.php
+++ b/test/ParsedownTest.php
@@ -1,5 +1,5 @@
assertEquals($expectedMarkup, $actualMarkup);
}
- function testUnsafeHtml()
+ function testRawHtml()
{
$markdown = "```php\nfoobar\n```";
$expectedMarkup = 'foobar
';
@@ -73,6 +73,23 @@ class ParsedownTest extends TestCase
$this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
}
+ function testTrustDelegatedRawHtml()
+ {
+ $markdown = "```php\nfoobar\n```";
+ $expectedMarkup = 'foobar
';
+ $expectedSafeMarkup = $expectedMarkup;
+
+ $unsafeExtension = new TrustDelegatedExtension;
+ $actualMarkup = $unsafeExtension->text($markdown);
+
+ $this->assertEquals($expectedMarkup, $actualMarkup);
+
+ $unsafeExtension->setSafeMode(true);
+ $actualSafeMarkup = $unsafeExtension->text($markdown);
+
+ $this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
+ }
+
function data()
{
$data = array();
diff --git a/test/SampleExtensions.php b/test/SampleExtensions.php
new file mode 100644
index 0000000..6d7ec9f
--- /dev/null
+++ b/test/SampleExtensions.php
@@ -0,0 +1,39 @@
+$text
";
+
+ return $Block;
+ }
+}
+
+
+class TrustDelegatedExtension extends Parsedown
+{
+ protected function blockFencedCodeComplete($Block)
+ {
+ $text = $Block['element']['text']['text'];
+ unset($Block['element']['text']['text']);
+
+ // WARNING: There is almost always a better way of doing things!
+ //
+ // This example is one of them, unsafe behaviour is NOT needed here.
+ // Only use this if you trust the input and have no idea what
+ // the output HTML will look like (e.g. using an external parser).
+ $Block['element']['text']['rawHtml'] = "$text
";
+ $Block['element']['text']['allowRawHtmlInSafeMode'] = true;
+
+ return $Block;
+ }
+}
diff --git a/test/UnsafeExtension.php b/test/UnsafeExtension.php
deleted file mode 100644
index 9a8dcc7..0000000
--- a/test/UnsafeExtension.php
+++ /dev/null
@@ -1,19 +0,0 @@
-$text";
-
- return $Block;
- }
-}