From bbb7687f31d6904f3a0e11e97bc61852a62cfe90 Mon Sep 17 00:00:00 2001 From: Aidan Woods Date: Tue, 9 May 2017 19:31:36 +0100 Subject: [PATCH] safeMode will either apply all sanitisation techniques to an element or none (note that encoding HTML entities is done regardless because it speaks to character context, and that the only attributes/elements we should permit are the ones we actually mean to create) --- Parsedown.php | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/Parsedown.php b/Parsedown.php index 0dbf40c..c540d12 100644 --- a/Parsedown.php +++ b/Parsedown.php @@ -1422,7 +1422,10 @@ class Parsedown protected function element(array $Element) { - $Element = $this->sanitiseElement($Element); + if ($this->safeMode) + { + $Element = $this->sanitiseElement($Element); + } $markup = '<'.$Element['name']; @@ -1543,27 +1546,23 @@ class Parsedown protected function filterUnsafeUrlInAttribute(array $Element, $attribute) { - if ($this->safeMode) + foreach ($this->safeLinksWhitelist as $scheme) { - foreach ($this->safeLinksWhitelist as $scheme) + if (self::striAtStart($Element['attributes'][$attribute], $scheme)) { - if (self::striAtStart($Element['attributes'][$attribute], $scheme)) - { - return $Element; - } + return $Element; } - - $Element['attributes'][$attribute] = preg_replace_callback( - '/[^\/#?&=%]++/', - function (array $match) - { - return urlencode($match[0]); - }, - $Element['attributes'][$attribute] - ); - } + $Element['attributes'][$attribute] = preg_replace_callback( + '/[^\/#?&=%]++/', + function (array $match) + { + return urlencode($match[0]); + }, + $Element['attributes'][$attribute] + ); + return $Element; }