Skip to content

Commit

Permalink
Add rawHtml without using it (extensions may opt-in)
Browse files Browse the repository at this point in the history
  • Loading branch information
aidantwoods committed Dec 30, 2019
1 parent 7073ac3 commit add8d18
Show file tree
Hide file tree
Showing 3 changed files with 97 additions and 3 deletions.
25 changes: 22 additions & 3 deletions Parsedown.php
Original file line number Diff line number Diff line change
Expand Up @@ -1489,22 +1489,41 @@ protected function element(array $Element)
}
}

$permitRawHtml = false;

if (isset($Element['text']))
{
$text = $Element['text'];
}
// very strongly consider an alternative if you're writing an
// extension
elseif (isset($Element['rawHtml']))
{
$text = $Element['rawHtml'];
$allowRawHtmlInSafeMode = isset($Element['allowRawHtmlInSafeMode']) && $Element['allowRawHtmlInSafeMode'];
$permitRawHtml = !$this->safeMode || $allowRawHtmlInSafeMode;
}

if (isset($text))
{
$markup .= '>';

if (!isset($Element['nonNestables']))
if (!isset($Element['nonNestables']))
{
$Element['nonNestables'] = array();
}

if (isset($Element['handler']))
{
$markup .= $this->{$Element['handler']}($Element['text'], $Element['nonNestables']);
$markup .= $this->{$Element['handler']}($text, $Element['nonNestables']);
}
elseif (!$permitRawHtml)
{
$markup .= self::escape($text, true);
}
else
{
$markup .= self::escape($Element['text'], true);
$markup .= $text;
}

$markup .= '</'.$Element['name'].'>';
Expand Down
36 changes: 36 additions & 0 deletions test/ParsedownTest.php
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
<?php

require 'SampleExtensions.php';

use PHPUnit\Framework\TestCase;

class ParsedownTest extends TestCase
Expand Down Expand Up @@ -55,6 +57,40 @@ function test_($test, $dir)
$this->assertEquals($expectedMarkup, $actualMarkup);
}

function testRawHtml()
{
$markdown = "```php\nfoobar\n```";
$expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
$expectedSafeMarkup = '<pre><code class="language-php">&lt;p&gt;foobar&lt;/p&gt;</code></pre>';

$unsafeExtension = new UnsafeExtension;
$actualMarkup = $unsafeExtension->text($markdown);

$this->assertEquals($expectedMarkup, $actualMarkup);

$unsafeExtension->setSafeMode(true);
$actualSafeMarkup = $unsafeExtension->text($markdown);

$this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
}

function testTrustDelegatedRawHtml()
{
$markdown = "```php\nfoobar\n```";
$expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
$expectedSafeMarkup = $expectedMarkup;

$unsafeExtension = new TrustDelegatedExtension;
$actualMarkup = $unsafeExtension->text($markdown);

$this->assertEquals($expectedMarkup, $actualMarkup);

$unsafeExtension->setSafeMode(true);
$actualSafeMarkup = $unsafeExtension->text($markdown);

$this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
}

function data()
{
$data = array();
Expand Down
39 changes: 39 additions & 0 deletions test/SampleExtensions.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
<?php

class UnsafeExtension extends Parsedown
{
protected function blockFencedCodeComplete($Block)
{
$text = $Block['element']['text']['text'];
unset($Block['element']['text']['text']);

// WARNING: There is almost always a better way of doing things!
//
// This example is one of them, unsafe behaviour is NOT needed here.
// Only use this if you trust the input and have no idea what
// the output HTML will look like (e.g. using an external parser).
$Block['element']['text']['rawHtml'] = "<p>$text</p>";

return $Block;
}
}

class TrustDelegatedExtension extends Parsedown
{
protected function blockFencedCodeComplete($Block)
{
$text = $Block['element']['text']['text'];
unset($Block['element']['text']['text']);

// WARNING: There is almost always a better way of doing things!
//
// This behaviour is NOT needed in the demonstrated case.
// Only use this if you are sure that the result being added into
// rawHtml is safe.
// (e.g. using an external parser with escaping capabilities).
$Block['element']['text']['rawHtml'] = "<p>$text</p>";
$Block['element']['text']['allowRawHtmlInSafeMode'] = true;

return $Block;
}
}

0 comments on commit add8d18

Please sign in to comment.