From 6a3167d461ffd529226c02216943f1585d4d6b98 Mon Sep 17 00:00:00 2001 From: Lukas Winkler Date: Thu, 21 Sep 2017 19:57:54 +0200 Subject: [PATCH] fixes #5 - disallow unsafe file extensions --- src/config/config.example.php | 6 ++++++ src/helpers/Markdown.php | 16 +++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/config/config.example.php b/src/config/config.example.php index 3f82125..f2cbfbd 100644 --- a/src/config/config.example.php +++ b/src/config/config.example.php @@ -32,3 +32,9 @@ define('NUMBER_OF_ISSUES_PER_PAGE', 100); * error messages will be displayed if enabled. */ define('DEBUG_ENABLED', false); + +/** + * Set list of file extentions that should be disallowed in links + * see https://github.com/piwik/github-issues-mirror/issues/5 + */ +define('FORBIDDEN_EXTENSIONS', ['swf', 'js', 'htm']); \ No newline at end of file diff --git a/src/helpers/Markdown.php b/src/helpers/Markdown.php index 196f008..09ecae4 100755 --- a/src/helpers/Markdown.php +++ b/src/helpers/Markdown.php @@ -9,7 +9,8 @@ namespace helpers; -class Markdown extends \Parsedown { +class Markdown extends \Parsedown +{ /** * Transform markdown to HTML. The HTML will be purified to prevent XSS. @@ -21,9 +22,22 @@ class Markdown extends \Parsedown { $this->setBreaksEnabled(true); $html = parent::text($markdown); + $html = $this->removeUnsafeFileExtensions($html); return $this->purifyHtml($html); } + /** + * swelen_dateslider.swf + * to + * swelen_dateslider.swf + * @param $html + * @return string html + */ + private function removeUnsafeFileExtensions($html) { + $regex = '/attachments\/(.*?)\.(' . implode("|", FORBIDDEN_EXTENSIONS) . ')/'; + return preg_replace($regex, "", $html); + } + private function purifyHtml($html) { $config = \HTMLPurifier_Config::createDefault(); $config->set('HTML.Doctype', 'XHTML 1.0 Transitional');