whitelist changes:

* add gif and jpg as allowed data images * ensure that user controlled content fall only in the "data section" of the data URI (and does not intersect content-type definition in any way (best to be safe than sorry ;-))) "data section" as defined in: https://tools.ietf.org/html/rfc2397#section-3
2017-05-02 19:48:08 +01:00 · 2017-05-02 19:48:08 +01:00 · 4dc98b635d
parent e4bb12329e
commit 4dc98b635d
1 changed files with 3 additions and 1 deletions
--- a/Parsedown.php
+++ b/Parsedown.php
@ -91,7 +91,9 @@ class Parsedown
        'ftp://',
        'ftps://',
        'mailto:',
-        'data:image/png;',
+        'data:image/png;base64,',
+        'data:image/gif;base64,',
+        'data:image/jpg;base64,',
    );

    #