Skip to content

Commit a8f5f55

Browse files
BytewaveMLPBytewaveMLP
committed
Purify parsed markdown output
This may impact page load times, but it's a necessary evil until parsedown's XSS improvements are added. See erusev/parsedown#495.
1 parent 7bb3c11 commit a8f5f55

File tree

3 files changed

+61
-5
lines changed

3 files changed

+61
-5
lines changed

app/Twig/Markdown/SafeParsedownEngine.php

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,28 +16,34 @@ class SafeParsedownEngine implements MarkdownEngineInterface {
1616
*/
1717
protected $engine;
1818

19+
protected $htmlPurifier;
20+
1921
/**
2022
* @param string|null $instanceName
2123
*/
2224
public function __construct($instanceName = null)
2325
{
2426
$this->engine = \Parsedown::instance($instanceName);
2527
$this->engine->setMarkupEscaped(true);
28+
29+
$this->htmlPurifier = new \HTMLPurifier(\HTMLPurifier_Config::createDefault());
2630
}
2731

2832
/**
2933
* {@inheritdoc}
3034
*/
3135
public function transform($content)
3236
{
33-
return $this->engine->parse($content);
37+
$parsed = $this->engine->parse($content);
38+
39+
return $this->htmlPurifier->purify($parsed);
3440
}
3541

3642
/**
3743
* {@inheritdoc}
3844
*/
3945
public function getName()
4046
{
41-
return 'erusev/parsedown (safe)';
47+
return 'erusev/parsedown (safe/purified)';
4248
}
4349
}

composer.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,8 @@
1616
"twig/twig": "~2.0",
1717
"mailgun/mailgun-php": "^2.3",
1818
"php-http/guzzle6-adapter": "^1.1",
19-
"crossjoin/pre-mailer": "^1.0"
19+
"crossjoin/pre-mailer": "^1.0",
20+
"ezyang/htmlpurifier": "dev-master"
2021
},
2122
"autoload": {
2223
"psr-4": {

composer.lock

Lines changed: 51 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)