fixes #5 - disallow unsafe file extensions
This commit is contained in:
parent
45bf11a433
commit
6a3167d461
2 changed files with 21 additions and 1 deletions
|
@ -32,3 +32,9 @@ define('NUMBER_OF_ISSUES_PER_PAGE', 100);
|
||||||
* error messages will be displayed if enabled.
|
* error messages will be displayed if enabled.
|
||||||
*/
|
*/
|
||||||
define('DEBUG_ENABLED', false);
|
define('DEBUG_ENABLED', false);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set list of file extentions that should be disallowed in links
|
||||||
|
* see https://github.com/piwik/github-issues-mirror/issues/5
|
||||||
|
*/
|
||||||
|
define('FORBIDDEN_EXTENSIONS', ['swf', 'js', 'htm']);
|
|
@ -9,7 +9,8 @@
|
||||||
namespace helpers;
|
namespace helpers;
|
||||||
|
|
||||||
|
|
||||||
class Markdown extends \Parsedown {
|
class Markdown extends \Parsedown
|
||||||
|
{
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Transform markdown to HTML. The HTML will be purified to prevent XSS.
|
* Transform markdown to HTML. The HTML will be purified to prevent XSS.
|
||||||
|
@ -21,9 +22,22 @@ class Markdown extends \Parsedown {
|
||||||
$this->setBreaksEnabled(true);
|
$this->setBreaksEnabled(true);
|
||||||
$html = parent::text($markdown);
|
$html = parent::text($markdown);
|
||||||
|
|
||||||
|
$html = $this->removeUnsafeFileExtensions($html);
|
||||||
return $this->purifyHtml($html);
|
return $this->purifyHtml($html);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* <a href="http://issues.piwik.org/attachments/1199/swelen_dateslider.swf">swelen_dateslider.swf</a>
|
||||||
|
* to
|
||||||
|
* <a href="http://issues.piwik.org/">swelen_dateslider.swf</a>
|
||||||
|
* @param $html
|
||||||
|
* @return string html
|
||||||
|
*/
|
||||||
|
private function removeUnsafeFileExtensions($html) {
|
||||||
|
$regex = '/attachments\/(.*?)\.(' . implode("|", FORBIDDEN_EXTENSIONS) . ')/';
|
||||||
|
return preg_replace($regex, "", $html);
|
||||||
|
}
|
||||||
|
|
||||||
private function purifyHtml($html) {
|
private function purifyHtml($html) {
|
||||||
$config = \HTMLPurifier_Config::createDefault();
|
$config = \HTMLPurifier_Config::createDefault();
|
||||||
$config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
|
$config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
|
||||||
|
|
Reference in a new issue