Add markdown_escape setting #785

ArthurHoaro · 2017-02-27T18:53:22Z

This setting allows to escape HTML in markdown rendering or not.
The goal behind it is to avoid XSS issue in shared instances.

More info:

the setting is set to true by default
it is set to false for anyone who already have the plugin enabled
(avoid breaking existing entries)
improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof
mention the setting in the plugin README

This need to be backported and released in v0.7.x and v0.8.x.

This PR is high priority.

virtualtam · 2017-02-27T20:08:59Z

tests/Updater/UpdaterTest.php

+    /**
+     * Test updateMethodEscapeMarkdown with nothing to do (setting already set)
+     */
+    public function testEscapeMarkdownSettingNothingToDo()


should be split in two tests:

setting previously enabled

setting previously disabled

This setting allows to escape HTML in markdown rendering or not. The goal behind it is to avoid XSS issue in shared instances. More info: * the setting is set to true by default * it is set to false for anyone who already have the plugin enabled (avoid breaking existing entries) * improve the HTML sanitization when the setting is set to false - but don't consider it XSS proof * mention the setting in the plugin README

ArthurHoaro · 2017-02-28T18:23:29Z

Updated and rebased.

virtualtam

Travis CI is currently down due to an AWS outage, hence the failing/unavailable builds

https://www.traviscistatus.com/incidents/hx7cnxbch9xf

virtualtam

Build passed ;-)

virtualtam · 2017-03-04T09:15:59Z

v0.8.4 released, v0.7.1 requires a bit more work ~~as some tests fail on v0.7~~

EDIT:

there is 1 test on v0.7.0 that fails with PHP 7.1 (not supported on the v0.7.x series)
ConfigManager was introduced in v0.8.x, so backporting this fix to v0.7 is not straightforward

EDIT 2:

security: escape HTML entities when using Markdown #795 for Shaarli v0.7.x

Adapted from shaarli#785 Signed-off-by: VirtualTam <virtualtam@flibidi.net>

ArthurHoaro added in review plugin bells and whistles security labels Feb 27, 2017

ArthurHoaro added this to the 0.9.0 milestone Feb 27, 2017

ArthurHoaro self-assigned this Feb 27, 2017

ArthurHoaro requested review from virtualtam and nodiscc February 27, 2017 18:53

virtualtam approved these changes Feb 27, 2017

View reviewed changes

ArthurHoaro force-pushed the hotfix/markdown-html branch from d8941c5 to e037610 Compare February 28, 2017 18:22

virtualtam approved these changes Mar 1, 2017

View reviewed changes

virtualtam approved these changes Mar 2, 2017

View reviewed changes

virtualtam removed the in review label Mar 4, 2017

virtualtam merged commit 74198dc into shaarli:master Mar 4, 2017

virtualtam added a commit to virtualtam/Shaarli that referenced this pull request Mar 8, 2017

security: escape HTML entities when using Markdown

1328d22

Adapted from shaarli#785 Signed-off-by: VirtualTam <virtualtam@flibidi.net>

virtualtam mentioned this pull request Mar 8, 2017

security: escape HTML entities when using Markdown #795

Merged

ArthurHoaro mentioned this pull request Jul 18, 2018

Stored XSS in Shaare #1183

Closed

Add markdown_escape setting #785

Add markdown_escape setting #785

ArthurHoaro commented Feb 27, 2017

virtualtam Feb 27, 2017

ArthurHoaro commented Feb 28, 2017

virtualtam left a comment

virtualtam left a comment

virtualtam commented Mar 4, 2017 •

edited

Add markdown_escape setting #785

Add markdown_escape setting #785

Conversation

ArthurHoaro commented Feb 27, 2017

virtualtam Feb 27, 2017

Choose a reason for hiding this comment

ArthurHoaro commented Feb 28, 2017

virtualtam left a comment

Choose a reason for hiding this comment

virtualtam left a comment

Choose a reason for hiding this comment

virtualtam commented Mar 4, 2017 • edited

virtualtam commented Mar 4, 2017 •

edited