diff --git a/src/config/config.example.php b/src/config/config.example.php
index 3f82125..f2cbfbd 100644
--- a/src/config/config.example.php
+++ b/src/config/config.example.php
@@ -32,3 +32,9 @@ define('NUMBER_OF_ISSUES_PER_PAGE', 100);
* error messages will be displayed if enabled.
*/
define('DEBUG_ENABLED', false);
+
+/**
+ * Set list of file extentions that should be disallowed in links
+ * see https://github.com/piwik/github-issues-mirror/issues/5
+ */
+define('FORBIDDEN_EXTENSIONS', ['swf', 'js', 'htm']);
\ No newline at end of file
diff --git a/src/helpers/Markdown.php b/src/helpers/Markdown.php
index 196f008..09ecae4 100755
--- a/src/helpers/Markdown.php
+++ b/src/helpers/Markdown.php
@@ -9,7 +9,8 @@
namespace helpers;
-class Markdown extends \Parsedown {
+class Markdown extends \Parsedown
+{
/**
* Transform markdown to HTML. The HTML will be purified to prevent XSS.
@@ -21,9 +22,22 @@ class Markdown extends \Parsedown {
$this->setBreaksEnabled(true);
$html = parent::text($markdown);
+ $html = $this->removeUnsafeFileExtensions($html);
return $this->purifyHtml($html);
}
+ /**
+ * swelen_dateslider.swf
+ * to
+ * swelen_dateslider.swf
+ * @param $html
+ * @return string html
+ */
+ private function removeUnsafeFileExtensions($html) {
+ $regex = '/attachments\/(.*?)\.(' . implode("|", FORBIDDEN_EXTENSIONS) . ')/';
+ return preg_replace($regex, "", $html);
+ }
+
private function purifyHtml($html) {
$config = \HTMLPurifier_Config::createDefault();
$config->set('HTML.Doctype', 'XHTML 1.0 Transitional');