Fix potential security vulnerability in new variable parsing.

build/index.php

@@ -3810,7 +3810,10 @@ class PeppermintParsedown extends ParsedownExtra
 			
 			$variableValue = false;
 			if(isset(array_slice($this->paramStack, -1)[0][$variableKey]))
+			{
 				$variableValue = array_slice($this->paramStack, -1)[0][$variableKey];
+				$variableValue = $this->escapeText($variableValue);
+			}
 			
 			if($variableValue)
 			{
@@ -4013,6 +4016,11 @@ class PeppermintParsedown extends ParsedownExtra
 		];
 	}
 	
+	protected function escapeText($text)
+	{
+		return htmlentities($text, ENT_COMPAT | ENT_HTML5);
+	}
+	
 	/**
 	 * Sets the base url to be used for internal links. '%s' will be replaced
 	 * with a URL encoded version of the page name.

module_index.json

@@ -194,7 +194,7 @@
         "author": "Emanuil Rusev & Starbeamrainbowlabs",
         "description": "An upgraded (now default!) parser based on Emanuil Rusev's Parsedown Extra PHP library (https:\/\/github.com\/erusev\/parsedown-extra), which is licensed MIT. Please be careful, as this module adds a some weight to your installation, and also *requires* write access to the disk on first load.",
         "id": "parser-parsedown",
-        "lastupdate": 1458491883,
+        "lastupdate": 1458492103,
         "optional": false
     }
 ]

modules/parser-parsedown.php

@@ -88,7 +88,10 @@ class PeppermintParsedown extends ParsedownExtra
 			
 			$variableValue = false;
 			if(isset(array_slice($this->paramStack, -1)[0][$variableKey]))
+			{
 				$variableValue = array_slice($this->paramStack, -1)[0][$variableKey];
+				$variableValue = $this->escapeText($variableValue);
+			}
 			
 			if($variableValue)
 			{
@@ -291,6 +294,11 @@ class PeppermintParsedown extends ParsedownExtra
 		];
 	}
 	
+	protected function escapeText($text)
+	{
+		return htmlentities($text, ENT_COMPAT | ENT_HTML5);
+	}
+	
 	/**
 	 * Sets the base url to be used for internal links. '%s' will be replaced
 	 * with a URL encoded version of the page name.