mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-11-25 17:23:00 +00:00
Fix potential security vulnerability in new variable parsing.
This commit is contained in:
parent
f4ffa86394
commit
42b66729b7
3 changed files with 17 additions and 1 deletions
|
@ -3810,7 +3810,10 @@ class PeppermintParsedown extends ParsedownExtra
|
||||||
|
|
||||||
$variableValue = false;
|
$variableValue = false;
|
||||||
if(isset(array_slice($this->paramStack, -1)[0][$variableKey]))
|
if(isset(array_slice($this->paramStack, -1)[0][$variableKey]))
|
||||||
|
{
|
||||||
$variableValue = array_slice($this->paramStack, -1)[0][$variableKey];
|
$variableValue = array_slice($this->paramStack, -1)[0][$variableKey];
|
||||||
|
$variableValue = $this->escapeText($variableValue);
|
||||||
|
}
|
||||||
|
|
||||||
if($variableValue)
|
if($variableValue)
|
||||||
{
|
{
|
||||||
|
@ -4013,6 +4016,11 @@ class PeppermintParsedown extends ParsedownExtra
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected function escapeText($text)
|
||||||
|
{
|
||||||
|
return htmlentities($text, ENT_COMPAT | ENT_HTML5);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets the base url to be used for internal links. '%s' will be replaced
|
* Sets the base url to be used for internal links. '%s' will be replaced
|
||||||
* with a URL encoded version of the page name.
|
* with a URL encoded version of the page name.
|
||||||
|
|
|
@ -194,7 +194,7 @@
|
||||||
"author": "Emanuil Rusev & Starbeamrainbowlabs",
|
"author": "Emanuil Rusev & Starbeamrainbowlabs",
|
||||||
"description": "An upgraded (now default!) parser based on Emanuil Rusev's Parsedown Extra PHP library (https:\/\/github.com\/erusev\/parsedown-extra), which is licensed MIT. Please be careful, as this module adds a some weight to your installation, and also *requires* write access to the disk on first load.",
|
"description": "An upgraded (now default!) parser based on Emanuil Rusev's Parsedown Extra PHP library (https:\/\/github.com\/erusev\/parsedown-extra), which is licensed MIT. Please be careful, as this module adds a some weight to your installation, and also *requires* write access to the disk on first load.",
|
||||||
"id": "parser-parsedown",
|
"id": "parser-parsedown",
|
||||||
"lastupdate": 1458491883,
|
"lastupdate": 1458492103,
|
||||||
"optional": false
|
"optional": false
|
||||||
}
|
}
|
||||||
]
|
]
|
|
@ -88,7 +88,10 @@ class PeppermintParsedown extends ParsedownExtra
|
||||||
|
|
||||||
$variableValue = false;
|
$variableValue = false;
|
||||||
if(isset(array_slice($this->paramStack, -1)[0][$variableKey]))
|
if(isset(array_slice($this->paramStack, -1)[0][$variableKey]))
|
||||||
|
{
|
||||||
$variableValue = array_slice($this->paramStack, -1)[0][$variableKey];
|
$variableValue = array_slice($this->paramStack, -1)[0][$variableKey];
|
||||||
|
$variableValue = $this->escapeText($variableValue);
|
||||||
|
}
|
||||||
|
|
||||||
if($variableValue)
|
if($variableValue)
|
||||||
{
|
{
|
||||||
|
@ -291,6 +294,11 @@ class PeppermintParsedown extends ParsedownExtra
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected function escapeText($text)
|
||||||
|
{
|
||||||
|
return htmlentities($text, ENT_COMPAT | ENT_HTML5);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets the base url to be used for internal links. '%s' will be replaced
|
* Sets the base url to be used for internal links. '%s' will be replaced
|
||||||
* with a URL encoded version of the page name.
|
* with a URL encoded version of the page name.
|
||||||
|
|
Loading…
Reference in a new issue