fixes #5 - disallow unsafe file extensions

src/config/config.example.php

@@ -32,3 +32,9 @@ define('NUMBER_OF_ISSUES_PER_PAGE', 100);
  * error messages will be displayed if enabled.
  */
 define('DEBUG_ENABLED', false);
+
+/**
+ * Set list of file extentions that should be disallowed in links
+ * see https://github.com/piwik/github-issues-mirror/issues/5
+ */
+define('FORBIDDEN_EXTENSIONS', ['swf', 'js', 'htm']);

src/helpers/Markdown.php

@@ -9,7 +9,8 @@
 namespace helpers;
 
 
-class Markdown extends \Parsedown {
+class Markdown extends \Parsedown
+{
 
     /**
      * Transform markdown to HTML. The HTML will be purified to prevent XSS.
@@ -21,9 +22,22 @@ class Markdown extends \Parsedown {
         $this->setBreaksEnabled(true);
         $html = parent::text($markdown);
 
+        $html = $this->removeUnsafeFileExtensions($html);
         return $this->purifyHtml($html);
     }
 
+    /**
+     * <a href="http://issues.piwik.org/attachments/1199/swelen_dateslider.swf">swelen_dateslider.swf</a>
+     * to
+     * <a href="http://issues.piwik.org/">swelen_dateslider.swf</a>
+     * @param $html
+     * @return string html
+     */
+    private function removeUnsafeFileExtensions($html) {
+        $regex = '/attachments\/(.*?)\.(' . implode("|", FORBIDDEN_EXTENSIONS) . ')/';
+        return preg_replace($regex, "", $html);
+    }
+
     private function purifyHtml($html) {
         $config = \HTMLPurifier_Config::createDefault();
         $config->set('HTML.Doctype', 'XHTML 1.0 Transitional');