commit 289d9a009d3c0fb6063f9c3586d617317414644d
parent 8f0089b080c8485e627b4adc8a83f80c3978b78e
Author: markseu <mark2011@mayberg.se>
Date: Fri, 29 Aug 2014 09:15:49 +0200
Markdown update (safe mode)
Diffstat:
5 files changed, 27 insertions(+), 21 deletions(-)
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-Yellow 0.3.17
+Yellow 0.3.18
=============
Yellow is for people who make websites. [Visit website](http://datenstrom.se/yellow).
diff --git a/system/config/config.ini b/system/config/config.ini
@@ -3,9 +3,8 @@
sitename = Yellow
author = Yellow
language = en
-template = default
style = default
-parser = markdownextra
+template = default
// serverScheme = http
// serverName = your.domain.name
@@ -26,11 +25,12 @@ contentDir = content/
contentHomeDir = home/
contentDefaultFile = page.txt
contentPagination = page
-contentHtmlFilter = 0
contentExtension = .txt
configExtension = .ini
errorPageFile = error(.*).txt
textStringFile = text(.*).ini
+parser = markdownextra
+parserSafeMode = 0
webinterfaceLocation = /edit/
webinterfaceServerScheme = http
webinterfaceUserHashAlgorithm = bcrypt
diff --git a/system/core/core-markdownextra.php b/system/core/core-markdownextra.php
@@ -5,7 +5,7 @@
// Markdown extra core plugin
class YellowMarkdownExtra
{
- const Version = "0.3.10";
+ const Version = "0.3.11";
var $yellow; //access to API
// Handle plugin initialisation
@@ -34,12 +34,12 @@ class YellowMarkdownExtraParser extends MarkdownExtraParser
$this->yellow = $yellow;
$this->page = $page;
$this->idAttributes = array();
- $this->no_markup = (bool)$this->yellow->config->get("contentHtmlFilter");
- $this->no_entities = (bool)$this->yellow->config->get("contentHtmlFilter");
+ $this->no_markup = $page->parserSafeMode;
+ $this->no_entities = $page->parserSafeMode;
$this->url_filter_func = function($url) use ($yellow, $page)
{
return $yellow->toolbox->normaliseLocation($url, $page->base, $page->location,
- (bool)$yellow->config->get("contentHtmlFilter") && $page->statusCode!=424);
+ $page->parserSafeMode && $page->statusCode==200);
};
parent::__construct();
}
@@ -2947,6 +2947,11 @@ class MarkdownExtraParser extends MarkdownParser {
}xm',
array($this, '_processDefListItems_callback_dd'), $list_str);
+ # Catch unescaped text, security bugfix for https://github.com/michelf/php-markdown/issues/175
+ if(preg_match("/^(?!\n<dt>)(.*?)(<dd>.*)$/s", $list_str, $matches))
+ {
+ $list_str = "<dt>".$this->runSpanGamut($matches[1])."</dt>\n".$matches[2];
+ }
return $list_str;
}
protected function _processDefListItems_callback_dt($matches) {
diff --git a/system/core/core-webinterface.php b/system/core/core-webinterface.php
@@ -5,7 +5,7 @@
// Web interface core plugin
class YellowWebinterface
{
- const Version = "0.3.6";
+ const Version = "0.3.7";
var $yellow; //access to API
var $users; //web interface users
var $active; //web interface is active? (boolean)
@@ -103,10 +103,11 @@ class YellowWebinterface
$header .= "// <![CDATA[\n";
if($this->isUser())
{
- $header .= "yellow.page.userPermission = " .json_encode($this->userPermission).";\n";
+ $header .= "yellow.page.userPermission = ".json_encode($this->userPermission).";\n";
$header .= "yellow.page.rawDataSource = ".json_encode($this->rawDataSource).";\n";
$header .= "yellow.page.rawDataEdit = ".json_encode($this->rawDataEdit).";\n";
$header .= "yellow.page.rawDataNew = ".json_encode($this->getDataNew()).";\n";
+ $header .= "yellow.page.parserSafeMode = ".json_encode($page->parserSafeMode).";\n";
$header .= "yellow.page.statusCode = ".json_encode($page->statusCode).";\n";
}
$header .= "yellow.config = ".json_encode($this->getDataConfig()).";\n";
diff --git a/system/core/core.php b/system/core/core.php
@@ -5,7 +5,7 @@
// Yellow main class
class Yellow
{
- const Version = "0.3.17";
+ const Version = "0.3.18";
var $page; //current page
var $pages; //pages from file system
var $config; //configuration
@@ -23,9 +23,8 @@ class Yellow
$this->config->setDefault("sitename", "Yellow");
$this->config->setDefault("author", "Yellow");
$this->config->setDefault("language", "en");
- $this->config->setDefault("template", "default");
$this->config->setDefault("style", "default");
- $this->config->setDefault("parser", "markdownextra");
+ $this->config->setDefault("template", "default");
$this->config->setDefault("serverScheme", $this->toolbox->getServerScheme());
$this->config->setDefault("serverName", $this->toolbox->getServerName());
$this->config->setDefault("serverBase", $this->toolbox->getServerBase());
@@ -44,12 +43,13 @@ class Yellow
$this->config->setDefault("contentHomeDir", "home/");
$this->config->setDefault("contentDefaultFile", "page.txt");
$this->config->setDefault("contentPagination", "page");
- $this->config->setDefault("contentHtmlFilter", "0");
$this->config->setDefault("contentExtension", ".txt");
$this->config->setDefault("configExtension", ".ini");
$this->config->setDefault("configFile", "config.ini");
$this->config->setDefault("errorPageFile", "error(.*).txt");
$this->config->setDefault("textStringFile", "text(.*).ini");
+ $this->config->setDefault("parser", "markdownextra");
+ $this->config->setDefault("parserSafeMode", "0");
$this->config->load($this->config->get("configDir").$this->config->get("configFile"));
$this->text->load($this->config->get("configDir").$this->config->get("textStringFile"));
$this->updateConfig();
@@ -329,6 +329,7 @@ class YellowPage
var $headerData; //response header
var $parserData; //content data of page
var $parser; //content parser
+ var $parserSafeMode; //page is parsed in safe mode? (boolean)
var $active; //page is active location? (boolean)
var $visible; //page is visible location? (boolean)
var $cacheable; //page is cacheable? (boolean)
@@ -351,6 +352,7 @@ class YellowPage
function parseData($rawData, $cacheable, $statusCode, $pageError = "")
{
$this->rawData = $rawData;
+ $this->parserSafeMode = $this->yellow->config->get("parserSafeMode");
$this->active = $this->yellow->toolbox->isActiveLocation($this->location, $this->yellow->page->location);
$this->visible = $this->yellow->toolbox->isVisibleLocation($this->location, $this->fileName,
$this->yellow->config->get("contentDir"));
@@ -386,10 +388,10 @@ class YellowPage
$this->set("sitename", $this->yellow->config->get("sitename"));
$this->set("author", $this->yellow->config->get("author"));
$this->set("language", $this->yellow->config->get("language"));
- $this->set("template", $this->yellow->toolbox->findNameFromFile($this->fileName,
- $this->yellow->config->get("templateDir"), $this->yellow->config->get("template"), ".php"));
$this->set("style", $this->yellow->toolbox->findNameFromFile($this->fileName,
$this->yellow->config->get("styleDir"), $this->yellow->config->get("style"), ".css"));
+ $this->set("template", $this->yellow->toolbox->findNameFromFile($this->fileName,
+ $this->yellow->config->get("templateDir"), $this->yellow->config->get("template"), ".php"));
$this->set("parser", $this->yellow->config->get("parser"));
if(preg_match("/^(\-\-\-[\r\n]+)(.+?)([\r\n]+\-\-\-[\r\n]+)/s", $this->rawData, $parsed))
@@ -1522,7 +1524,7 @@ class YellowToolbox
return $fileNames;
}
- // Return file/template/style name from file path
+ // Return file/style/template name from file path
function findNameFromFile($fileName, $pathBase, $nameDefault, $fileExtension, $includeFileName = false)
{
$name = "";
@@ -1546,10 +1548,6 @@ class YellowToolbox
// Normalise location, make absolute location
function normaliseLocation($location, $pageBase, $pageLocation, $filterStrict = true)
{
- if($filterStrict)
- {
- if(preg_match("/^javascript:/i", $location)) $location = "xss";
- }
if(!preg_match("/^\w+:/", html_entity_decode($location, ENT_QUOTES, "UTF-8")))
{
if(!preg_match("/^\//", $location))
@@ -1560,6 +1558,8 @@ class YellowToolbox
{
$location = $pageBase.$location;
}
+ } else {
+ if($filterStrict && !preg_match("/^(http|https|ftp|mailto):/", $location)) $location = "error-xss-filter";
}
return $location;
}
