Add new backend.allow_unsafe_markdown permission

octobercms · May 26, 2020 · 9ecfb48 · 9ecfb48
1 parent 655c801
commit 9ecfb48
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 6 deletions.
diff --git a/modules/backend/ServiceProvider.php b/modules/backend/ServiceProvider.php
@@ -4,6 +4,7 @@
 use Backend;
 use BackendMenu;
 use BackendAuth;
+use Backend\Models\UserRole;
 use Backend\Classes\WidgetManager;
 use System\Classes\MailManager;
 use System\Classes\CombineAssets;
@@ -168,7 +169,12 @@ protected function registerBackendPermissions()
                 'media.manage_media' => [
                     'label' => 'backend::lang.permissions.manage_media',
                     'tab' => 'system::lang.permissions.name',
-                ]
+                ],
+                'backend.allow_unsafe_markdown' => [
+                    'label' => 'backend::lang.permissions.allow_unsafe_markdown',
+                    'tab' => 'system::lang.permissions.name',
+                    'roles' => UserRole::CODE_DEVELOPER,
+                ],
             ]);
         });
     }

diff --git a/modules/backend/formwidgets/MarkdownEditor.php b/modules/backend/formwidgets/MarkdownEditor.php
@@ -1,7 +1,8 @@
 <?php namespace Backend\FormWidgets;
 
-use BackendAuth;
+use Html;
 use Markdown;
+use BackendAuth;
 use Backend\Classes\FormWidgetBase;
 
 /**
@@ -42,12 +43,12 @@ class MarkdownEditor extends FormWidgetBase
     //
 
     /**
-     * @inheritDoc
+     * {@inheritDoc}
      */
     protected $defaultAlias = 'markdown';
 
     /**
-     * @inheritDoc
+     * {@inheritDoc}
      */
     public function init()
     {
@@ -60,7 +61,7 @@ public function init()
     }
 
     /**
-     * @inheritDoc
+     * {@inheritDoc}
      */
     public function render()
     {
@@ -84,7 +85,7 @@ public function prepareVars()
     }
 
     /**
-     * @inheritDoc
+     * {@inheritDoc}
      */
     protected function loadAssets()
     {
@@ -93,13 +94,45 @@ protected function loadAssets()
         $this->addJs('/modules/backend/formwidgets/codeeditor/assets/js/build-min.js', 'core');
     }
 
+    /**
+     * Check to see if the generated HTML should be cleaned to remove any potential XSS
+     *
+     * @return boolean
+     */
+    protected function shouldCleanHtml()
+    {
+        $user = BackendAuth::getUser();
+        return !$user || !$user->hasAccess('backend.allow_unsafe_markdown');
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function getSaveValue($value)
+    {
+        if ($this->shouldCleanHtml()) {
+            $value = Html::clean($value);
+        }
+
+        return $value;
+    }
+
+    /**
+     * AJAX handler to render the markdown as HTML
+     *
+     * @return array ['preview' => $generatedHTML]
+     */
     public function onRefresh()
     {
         $value = post($this->getFieldName());
         $previewHtml = $this->safe
             ? Markdown::parseSafe($value)
             : Markdown::parse($value);
 
+        if ($this->shouldCleanHtml()) {
+            $previewHtml = Html::clean($previewHtml);
+        }
+
         return [
             'preview' => $previewHtml
         ];

diff --git a/modules/backend/lang/en/lang.php b/modules/backend/lang/en/lang.php
@@ -567,6 +567,7 @@
     ],
     'permissions' => [
         'manage_media' => 'Upload and manage media contents - images, videos, sounds, documents',
+        'allow_unsafe_markdown' => 'Use unsafe Markdown (can use HTML & JS)',
     ],
     'mediafinder' => [
         'label' => 'Media Finder',