commit ec418ba5bc970699be32483e9bf20a62d76dfd8c
parent 456c325d67aa8ff07f6f75b1104737050df49bb2
Author: markseu <mark2011@mayberg.se>
Date: Tue, 2 Sep 2014 13:14:34 +0200
Core update (safe mode)
Diffstat:
3 files changed, 32 insertions(+), 22 deletions(-)
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-Yellow 0.3.18
+Yellow 0.3.19
=============
Yellow is for people who make websites. [Visit website](http://datenstrom.se/yellow).
diff --git a/system/core/core-markdownextra.php b/system/core/core-markdownextra.php
@@ -5,7 +5,7 @@
// Markdown extra core plugin
class YellowMarkdownExtra
{
- const Version = "0.3.11";
+ const Version = "0.3.12";
var $yellow; //access to API
// Handle plugin initialisation
@@ -2856,6 +2856,9 @@ class MarkdownExtraParser extends MarkdownParser {
#
# Form HTML definition lists.
#
+ # Prevent unescaped text, security bugfix for https://github.com/michelf/php-markdown/issues/175
+ if ($this->no_markup) return $text;
+
$less_than_tab = $this->tab_width - 1;
# Re-usable pattern to match any entire dl list:
@@ -2947,11 +2950,6 @@ class MarkdownExtraParser extends MarkdownParser {
}xm',
array($this, '_processDefListItems_callback_dd'), $list_str);
- # Catch unescaped text, security bugfix for https://github.com/michelf/php-markdown/issues/175
- if(preg_match("/^(?!\n<dt>)(.*?)(<dd>.*)$/s", $list_str, $matches))
- {
- $list_str = "<dt>".$this->runSpanGamut($matches[1])."</dt>\n".$matches[2];
- }
return $list_str;
}
protected function _processDefListItems_callback_dt($matches) {
diff --git a/system/core/core.php b/system/core/core.php
@@ -5,7 +5,7 @@
// Yellow main class
class Yellow
{
- const Version = "0.3.18";
+ const Version = "0.3.19";
var $page; //current page
var $pages; //pages from file system
var $config; //configuration
@@ -1399,11 +1399,16 @@ class YellowToolbox
function isVisibleLocation($location, $fileName, $pathBase)
{
$visible = true;
- if(substru($fileName, 0, strlenu($pathBase)) == $pathBase) $fileName = substru($fileName, strlenu($pathBase));
- $tokens = explode('/', $fileName);
- for($i=0; $i<count($tokens)-1; ++$i)
+ if(substru($fileName, 0, strlenu($pathBase)) == $pathBase)
{
- if(!preg_match("/^[\d\-\_\.]+(.*)$/", $tokens[$i])) { $visible = false; break; }
+ $fileName = substru($fileName, strlenu($pathBase));
+ $tokens = explode('/', $fileName);
+ for($i=0; $i<count($tokens)-1; ++$i)
+ {
+ if(!preg_match("/^[\d\-\_\.]+(.*)$/", $tokens[$i])) { $visible = false; break; }
+ }
+ } else {
+ $visible = false;
}
return $visible;
}
@@ -1412,17 +1417,24 @@ class YellowToolbox
function findLocationFromFile($fileName, $pathBase, $pathHome, $fileDefault, $fileExtension)
{
$location = "/";
- if(substru($fileName, 0, strlenu($pathBase)) == $pathBase) $fileName = substru($fileName, strlenu($pathBase));
- $tokens = explode('/', $fileName);
- for($i=0; $i<count($tokens)-1; ++$i)
+ if(substru($fileName, 0, strlenu($pathBase)) == $pathBase)
{
- $token = $this->normaliseName($tokens[$i]).'/';
- if($i || $token!=$pathHome) $location .= $token;
+ $fileName = substru($fileName, strlenu($pathBase));
+ $tokens = explode('/', $fileName);
+ for($i=0; $i<count($tokens)-1; ++$i)
+ {
+ $token = $this->normaliseName($tokens[$i]).'/';
+ if($i || $token!=$pathHome) $location .= $token;
+ }
+ $token = $this->normaliseName($tokens[$i]);
+ $fileFolder = $this->normaliseName($tokens[$i-1]).$fileExtension;
+ if($token!=$fileDefault && $token!=$fileFolder) $location .= $this->normaliseName($tokens[$i], true, true);
+ $extension = ($pos = strrposu($fileName, '.')) ? substru($fileName, $pos) : "";
+ if($extension != $fileExtension) $invalid = true;
+ } else {
+ $invalid = true;
}
- $token = $this->normaliseName($tokens[$i]);
- $fileFolder = $this->normaliseName($tokens[$i-1]).$fileExtension;
- if($token!=$fileDefault && $token!=$fileFolder) $location .= $this->normaliseName($tokens[$i], true, true);
- return $location;
+ return $invalid ? "" : $location;
}
// Return file path from location
@@ -1548,7 +1560,7 @@ class YellowToolbox
// Normalise location, make absolute location
function normaliseLocation($location, $pageBase, $pageLocation, $filterStrict = true)
{
- if(!preg_match("/^\w+:/", html_entity_decode($location, ENT_QUOTES, "UTF-8")))
+ if(!preg_match("/^\w+:/", trim(html_entity_decode($location, ENT_QUOTES, "UTF-8"))))
{
if(!preg_match("/^\//", $location))
{
