fixes #5 - disallow unsafe file extensions
This commit is contained in:
parent
45bf11a433
commit
6a3167d461
2 changed files with 21 additions and 1 deletions
|
@ -32,3 +32,9 @@ define('NUMBER_OF_ISSUES_PER_PAGE', 100);
|
|||
* error messages will be displayed if enabled.
|
||||
*/
|
||||
define('DEBUG_ENABLED', false);
|
||||
|
||||
/**
|
||||
* Set list of file extentions that should be disallowed in links
|
||||
* see https://github.com/piwik/github-issues-mirror/issues/5
|
||||
*/
|
||||
define('FORBIDDEN_EXTENSIONS', ['swf', 'js', 'htm']);
|
|
@ -9,7 +9,8 @@
|
|||
namespace helpers;
|
||||
|
||||
|
||||
class Markdown extends \Parsedown {
|
||||
class Markdown extends \Parsedown
|
||||
{
|
||||
|
||||
/**
|
||||
* Transform markdown to HTML. The HTML will be purified to prevent XSS.
|
||||
|
@ -21,9 +22,22 @@ class Markdown extends \Parsedown {
|
|||
$this->setBreaksEnabled(true);
|
||||
$html = parent::text($markdown);
|
||||
|
||||
$html = $this->removeUnsafeFileExtensions($html);
|
||||
return $this->purifyHtml($html);
|
||||
}
|
||||
|
||||
/**
|
||||
* <a href="http://issues.piwik.org/attachments/1199/swelen_dateslider.swf">swelen_dateslider.swf</a>
|
||||
* to
|
||||
* <a href="http://issues.piwik.org/">swelen_dateslider.swf</a>
|
||||
* @param $html
|
||||
* @return string html
|
||||
*/
|
||||
private function removeUnsafeFileExtensions($html) {
|
||||
$regex = '/attachments\/(.*?)\.(' . implode("|", FORBIDDEN_EXTENSIONS) . ')/';
|
||||
return preg_replace($regex, "", $html);
|
||||
}
|
||||
|
||||
private function purifyHtml($html) {
|
||||
$config = \HTMLPurifier_Config::createDefault();
|
||||
$config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
|
||||
|
|
Reference in a new issue