mirror of
https://github.com/erusev/parsedown.git
synced 2024-09-20 03:51:29 +02:00
Add html escaping to all attributes capable of holding user input.
This commit is contained in:
parent
674f40278f
commit
bfb02a8d12
@ -420,7 +420,7 @@ class Parsedown
|
|||||||
|
|
||||||
if (isset($matches[2]))
|
if (isset($matches[2]))
|
||||||
{
|
{
|
||||||
$class = 'language-'.$matches[2];
|
$class = 'language-'.htmlspecialchars($matches[2], ENT_QUOTES, 'UTF-8');
|
||||||
|
|
||||||
$Element['attributes'] = array(
|
$Element['attributes'] = array(
|
||||||
'class' => $class,
|
'class' => $class,
|
||||||
@ -1090,7 +1090,7 @@ class Parsedown
|
|||||||
{
|
{
|
||||||
if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<((mailto:)?\S+?@\S+?)>/i', $Excerpt['text'], $matches))
|
if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<((mailto:)?\S+?@\S+?)>/i', $Excerpt['text'], $matches))
|
||||||
{
|
{
|
||||||
$url = $matches[1];
|
$url = htmlspecialchars($matches[1], ENT_QUOTES, 'UTF-8');
|
||||||
|
|
||||||
if ( ! isset($matches[2]))
|
if ( ! isset($matches[2]))
|
||||||
{
|
{
|
||||||
@ -1270,12 +1270,12 @@ class Parsedown
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$Element['attributes']['href'] = htmlspecialchars($Element['attributes']['href'], ENT_QUOTES);
|
$Element['attributes']['href'] = htmlspecialchars($Element['attributes']['href'], ENT_QUOTES, 'UTF-8');
|
||||||
$Element['text'] = htmlspecialchars($Element['text'], ENT_QUOTES);
|
$Element['text'] = htmlspecialchars($Element['text'], ENT_QUOTES, 'UTF-8');
|
||||||
|
|
||||||
if ( $Element['attributes']['title'] !== null )
|
if ( $Element['attributes']['title'] !== null )
|
||||||
{
|
{
|
||||||
$Element['attributes']['title'] = htmlspecialchars($Element['attributes']['title'], ENT_QUOTES);
|
$Element['attributes']['title'] = htmlspecialchars($Element['attributes']['title'], ENT_QUOTES, 'UTF-8');
|
||||||
}
|
}
|
||||||
|
|
||||||
return array(
|
return array(
|
||||||
@ -1366,14 +1366,16 @@ class Parsedown
|
|||||||
|
|
||||||
if (preg_match('/\bhttps?:[\/]{2}[^\s<]+\b\/*/ui', $Excerpt['context'], $matches, PREG_OFFSET_CAPTURE))
|
if (preg_match('/\bhttps?:[\/]{2}[^\s<]+\b\/*/ui', $Excerpt['context'], $matches, PREG_OFFSET_CAPTURE))
|
||||||
{
|
{
|
||||||
|
$url = htmlspecialchars($matches[0][0], ENT_QUOTES, 'UTF-8');
|
||||||
|
|
||||||
$Inline = array(
|
$Inline = array(
|
||||||
'extent' => strlen($matches[0][0]),
|
'extent' => strlen($matches[0][0]),
|
||||||
'position' => $matches[0][1],
|
'position' => $matches[0][1],
|
||||||
'element' => array(
|
'element' => array(
|
||||||
'name' => 'a',
|
'name' => 'a',
|
||||||
'text' => $matches[0][0],
|
'text' => $url,
|
||||||
'attributes' => array(
|
'attributes' => array(
|
||||||
'href' => $matches[0][0],
|
'href' => $url,
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
);
|
);
|
||||||
@ -1386,7 +1388,7 @@ class Parsedown
|
|||||||
{
|
{
|
||||||
if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<(\w+:\/{2}[^ >]+)>/i', $Excerpt['text'], $matches))
|
if (strpos($Excerpt['text'], '>') !== false and preg_match('/^<(\w+:\/{2}[^ >]+)>/i', $Excerpt['text'], $matches))
|
||||||
{
|
{
|
||||||
$url = str_replace(array('&', '<'), array('&', '<'), $matches[1]);
|
$url = htmlspecialchars($matches[1], ENT_QUOTES, 'UTF-8');
|
||||||
|
|
||||||
return array(
|
return array(
|
||||||
'extent' => strlen($matches[0]),
|
'extent' => strlen($matches[0]),
|
||||||
|
Loading…
Reference in New Issue
Block a user