Commit Graph

300 Commits

Author SHA1 Message Date
Aidan Woods b1e5aebaf6
add single safeMode option that encompasses protection from link destination xss and plain markup based xss into a single on/off switch 2017-05-09 19:22:58 +01:00
Aidan Woods c63b690a79
remove duplicates 2017-05-09 14:50:15 +01:00
Aidan Woods 226f636360
remove $safe flag 2017-05-07 13:45:59 +01:00
Aidan Woods 2e4afde68d
faster check substr at beginning of string 2017-05-06 16:32:51 +01:00
Aidan Woods dc30cb441c
add more protocols to the whitelist 2017-05-05 21:32:27 +01:00
Aidan Woods 054ba3c487
urlencode urls that are potentially unsafe:
this should break urls that attempt to include a protocol, or port (these are absolute URLs and should have a whitelisted protocol for use)
but URLs that are relative, or relative from the site root should be preserved (though characters non essential for the URL structure may be urlencoded)

this approach has significant advantages over attempting to locate something like `javascript:alert(1)` or `javascript:alert(1)` (which are both valid) because browsers have been known to ignore ridiculous characters when encountered (meaning something like `jav\ta\0\0script:alert(1)` would be xss :( ). Instead of trying to chase down a way to interpret a URL to decide whether there is a protocol, this approach ensures that two essential characters needed to achieve a colon are encoded `:` (obviously) and `;` (from `:`). If these characters appear in a relative URL then they are equivalent to their URL encoded form and so this change will be non breaking for that case.
2017-05-03 17:01:27 +01:00
Aidan Woods 4bae1c9834
whitelist regex for good attribute (no
no chars that could form a delimiter allowed
2017-05-03 00:39:01 +01:00
Aidan Woods aee3963e6b
jpeg, not jpg 2017-05-02 19:55:03 +01:00
Aidan Woods 4dc98b635d
whitelist changes:
* add gif and jpg as allowed data images
* ensure that user controlled content fall only in the "data section" of the data URI (and does not intersect content-type definition in any way (best to be safe than sorry ;-)))
  "data section" as defined in: https://tools.ietf.org/html/rfc2397#section-3
2017-05-02 19:48:25 +01:00
Aidan Woods e4bb12329e
array_keys is probably faster 2017-05-02 01:32:24 +01:00
Aidan Woods 6d0156d707
dump attributes that contain characters that are impossible for validity, or very unlikely 2017-05-02 00:48:48 +01:00
Aidan Woods 131ba75851
filter onevent attributes 2017-05-01 15:44:04 +01:00
Aidan Woods 6bb66db00f
anti-xss
protect all attributes and content from xss via element method
filter special attributes (a href, img src)
expand url whitelist slightly to permit data images and mailto links
2017-05-01 03:25:07 +01:00
naNuke b3d45c4bb9 Add html escaping to all attributes capable of holding user input. 2017-05-01 02:00:38 +01:00
naNuke 1d4296f34d Customizable whitelist of schemas for safeLinks 2017-05-01 01:58:34 +01:00
naNuke bf5105cb1a Improve safeLinks with whitelist. 2017-05-01 01:58:34 +01:00
naNuke 1140613fc7 Prevent various XSS attacks 2017-05-01 01:58:34 +01:00
Emanuil Rusev 1bf24f7334 add kbd to text-level elements 2017-03-29 19:04:15 +03:00
Marek Skiba 7081afe8cb Removed double semicolon 2017-03-02 12:43:51 +01:00
Aidan Woods 0172d779d7 Trim surrounding whitespace from URL in inlineLink
Fixes https://github.com/erusev/parsedown-extra/issues/103
2017-01-21 11:06:41 +00:00
gene_sis 48351504de adjust two regex pattern within inlineLink() to reduce backtracking
add test with base64 image
2017-01-07 00:45:38 +01:00
Aidan Woods 5c22531e4d Allow parsedown to specify list start attribute
Syntax preferences
2016-10-05 18:27:54 +01:00
Aidan Woods 3978e33fd0 Allow parsedown to specify list start attribute
Remove github added tabs on blank lines
2016-10-05 18:17:12 +01:00
Aidan Woods a37797ef34 Allow parsedown to specify list start attribute
Syntax preferences to match surrounding code
2016-10-05 18:15:47 +01:00
Aidan Woods e3cd271f16 Allow parsedown to specify list start attribute
Performance: Swap preg_replace for stristr to obtain list start
2016-10-05 15:44:34 +01:00
Aidan Woods f0b7b61c16 Allow parsedown to specify list start attribute
Should fix compatibility for PHP 5.3
2016-10-05 11:36:27 +01:00
Aidan Woods ed41fcf3d6 Allow parsedown to specify list start attribute
oops
2016-10-05 10:06:40 +01:00
Aidan Woods 1fa8fae301 Allow parsedown to specify list start attribute
Readability improvements
2016-10-05 10:03:21 +01:00
Aidan Woods f17aa0438a Update Parsedown.php 2016-09-27 02:15:35 +01:00
Aidan Woods 38f4027d5e Update Parsedown.php
Okay, so maybe I should have looked 20 lines or so above where I made the edit in the element function – looks like it already supports adding attributes ;p
Have amended the change to blocklist to use the already existing functionality, and have reverted the change that I made to the element function.
2016-09-27 02:15:09 +01:00
Aidan Woods 2cee8d8a2d Update Parsedown.php
Looks like I might need to return the pattern which was used previously
Reverting last change as build still failed

This build will still fail, but I'm hoping it will only fair where the list start value has been inserted
2016-09-27 01:23:22 +01:00
Aidan Woods cceefafd55 test
Attempting to determine which function change is causing test jobs to fail (in unexpected ways)
2016-09-27 01:16:00 +01:00
Aidan Woods 1c58e9d8d5 oops
oops
2016-09-27 00:57:57 +01:00
Aidan Woods 2772b034c6 Update Parsedown.php
(I think this should work)
Allow parsedown to specify list start attribute (see: https://github.com/erusev/parsedown/issues/100#issuecomment-249729602)
2016-09-27 00:53:51 +01:00
Emanuil Rusev 490a8f35a4 remove incompatible comment 2016-03-09 19:02:39 +02:00
Andy Miller e7443a2bd8 Fixed really sorry spelling errors 2015-12-18 20:45:14 -07:00
Andy Miller 10a7ff776c Left as-is 2015-12-17 10:48:21 -07:00
Andy Miller 5ad15b87fa Break out method_exists checks into extendable methods to allow for better pluggability 2015-12-17 10:46:44 -07:00
Andy Miller b166cab9a2 Make `lines` protected to allow for extendability 2015-12-17 10:46:04 -07:00
Jesse Donat e603c2378d Parsedown library shouldn't be executable 2015-10-20 15:16:36 -05:00
Emanuil Rusev 3ebbd730b5 1.6.0 2015-10-04 19:44:32 +03:00
Emanuil Rusev fa005fdb95 Merge pull request #336 from hkdobrev/late-static-binding
Use late static binding for Parsedown::instance()
2015-08-13 15:16:23 +03:00
Haralan Dobrev 5f40cab3e7 Use late static binding for Parsedown::instance()
Fixes erusev/parsedown-extra#67.

This introduces PHP 5.3+ late static binding to the Singleton pattern in Parsedown.
It will return an instance of Parsedown which inherits the class which
called the `instance()` method rather than always returning instance of just `Parsedown`.

Tests are testing this feature with a test class which inherits from Parsedown.
Notice that calling `instance()` with the default arguments after an instance of
`Parsedown` was already created, it will return it even though it is from just
an instance of `Parsedown`. So this is fixing the problem just partially.
2015-08-13 13:29:33 +03:00
Emanuil Rusev 0e89e3714b 1.5.4 2015-08-03 12:24:05 +03:00
Emanuil Rusev 6b24125f06 clean up 2015-07-31 17:01:14 +03:00
Emanuil Rusev a589bcac79 resolve #342 2015-07-31 01:33:21 +03:00
Emanuil Rusev a9dfc97ddc opening code fence doesn't need 2 regex groups 2015-07-16 16:57:13 +03:00
Emanuil Rusev ba802c1c8d replace the term "incomplete" 2015-07-02 01:01:14 +03:00
Emanuil Rusev 438874e9a8 improve line 2015-06-25 01:05:05 +03:00
Emanuil Rusev e2bb3eaaf8 clean up 2015-06-15 12:28:35 +03:00