0ct0pu5/yellow
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Markdown update (safe mode)

Browse source
This commit is contained in:
markseu 2014-08-29 09:15:49 +02:00
parent 8f0089b080
commit 289d9a009d
5 changed files with 27 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -1,4 +1,4 @@
Yellow 0.3.17
Yellow 0.3.18
=============
Yellow is for people who make websites. [Visit website](http://datenstrom.se/yellow).

6
system/config/config.ini
View file

@ -3,9 +3,8 @@
sitename = Yellow
author = Yellow
language = en
template = default
style = default
parser = markdownextra
template = default
// serverScheme = http
// serverName = your.domain.name
@ -26,11 +25,12 @@ contentDir = content/
contentHomeDir = home/
contentDefaultFile = page.txt
contentPagination = page
contentHtmlFilter = 0
contentExtension = .txt
configExtension = .ini
errorPageFile = error(.*).txt
textStringFile = text(.*).ini
parser = markdownextra
parserSafeMode = 0
webinterfaceLocation = /edit/
webinterfaceServerScheme = http
webinterfaceUserHashAlgorithm = bcrypt

13
system/core/core-markdownextra.php
View file

@ -5,7 +5,7 @@
// Markdown extra core plugin
class YellowMarkdownExtra
{
const Version = "0.3.10";
const Version = "0.3.11";
var $yellow; //access to API
// Handle plugin initialisation
@ -34,12 +34,12 @@ class YellowMarkdownExtraParser extends MarkdownExtraParser
$this->yellow = $yellow;
$this->page = $page;
$this->idAttributes = array();
$this->no_markup = (bool)$this->yellow->config->get("contentHtmlFilter");
$this->no_entities = (bool)$this->yellow->config->get("contentHtmlFilter");
$this->no_markup = $page->parserSafeMode;
$this->no_entities = $page->parserSafeMode;
$this->url_filter_func = function($url) use ($yellow, $page)
{
return $yellow->toolbox->normaliseLocation($url, $page->base, $page->location,
(bool)$yellow->config->get("contentHtmlFilter") && $page->statusCode!=424);
$page->parserSafeMode && $page->statusCode==200);
};
parent::__construct();
}
@ -2947,6 +2947,11 @@ class MarkdownExtraParser extends MarkdownParser {
}xm',
array($this, '_processDefListItems_callback_dd'), $list_str);
# Catch unescaped text, security bugfix for https://github.com/michelf/php-markdown/issues/175
if(preg_match("/^(?!\n<dt>)(.*?)(<dd>.*)$/s", $list_str, $matches))
{
$list_str = "<dt>".$this->runSpanGamut($matches[1])."</dt>\n".$matches[2];
}
return $list_str;
}
protected function _processDefListItems_callback_dt($matches) {

5
system/core/core-webinterface.php
View file

@ -5,7 +5,7 @@
// Web interface core plugin
class YellowWebinterface
{
const Version = "0.3.6";
const Version = "0.3.7";
var $yellow; //access to API
var $users; //web interface users
var $active; //web interface is active? (boolean)
@ -103,10 +103,11 @@ class YellowWebinterface
$header .= "// <![CDATA[\n";
if($this->isUser())
{
$header .= "yellow.page.userPermission = " .json_encode($this->userPermission).";\n";
$header .= "yellow.page.userPermission = ".json_encode($this->userPermission).";\n";
$header .= "yellow.page.rawDataSource = ".json_encode($this->rawDataSource).";\n";
$header .= "yellow.page.rawDataEdit = ".json_encode($this->rawDataEdit).";\n";
$header .= "yellow.page.rawDataNew = ".json_encode($this->getDataNew()).";\n";
$header .= "yellow.page.parserSafeMode = ".json_encode($page->parserSafeMode).";\n";
$header .= "yellow.page.statusCode = ".json_encode($page->statusCode).";\n";
}
$header .= "yellow.config = ".json_encode($this->getDataConfig()).";\n";

22
system/core/core.php
View file

@ -5,7 +5,7 @@
// Yellow main class
class Yellow
{
const Version = "0.3.17";
const Version = "0.3.18";
var $page; //current page
var $pages; //pages from file system
var $config; //configuration
@ -23,9 +23,8 @@ class Yellow
$this->config->setDefault("sitename", "Yellow");
$this->config->setDefault("author", "Yellow");
$this->config->setDefault("language", "en");
$this->config->setDefault("template", "default");
$this->config->setDefault("style", "default");
$this->config->setDefault("parser", "markdownextra");
$this->config->setDefault("template", "default");
$this->config->setDefault("serverScheme", $this->toolbox->getServerScheme());
$this->config->setDefault("serverName", $this->toolbox->getServerName());
$this->config->setDefault("serverBase", $this->toolbox->getServerBase());
@ -44,12 +43,13 @@ class Yellow
$this->config->setDefault("contentHomeDir", "home/");
$this->config->setDefault("contentDefaultFile", "page.txt");
$this->config->setDefault("contentPagination", "page");
$this->config->setDefault("contentHtmlFilter", "0");
$this->config->setDefault("contentExtension", ".txt");
$this->config->setDefault("configExtension", ".ini");
$this->config->setDefault("configFile", "config.ini");
$this->config->setDefault("errorPageFile", "error(.*).txt");
$this->config->setDefault("textStringFile", "text(.*).ini");
$this->config->setDefault("parser", "markdownextra");
$this->config->setDefault("parserSafeMode", "0");
$this->config->load($this->config->get("configDir").$this->config->get("configFile"));
$this->text->load($this->config->get("configDir").$this->config->get("textStringFile"));
$this->updateConfig();
@ -329,6 +329,7 @@ class YellowPage
var $headerData; //response header
var $parserData; //content data of page
var $parser; //content parser
var $parserSafeMode; //page is parsed in safe mode? (boolean)
var $active; //page is active location? (boolean)
var $visible; //page is visible location? (boolean)
var $cacheable; //page is cacheable? (boolean)
@ -351,6 +352,7 @@ class YellowPage
function parseData($rawData, $cacheable, $statusCode, $pageError = "")
{
$this->rawData = $rawData;
$this->parserSafeMode = $this->yellow->config->get("parserSafeMode");
$this->active = $this->yellow->toolbox->isActiveLocation($this->location, $this->yellow->page->location);
$this->visible = $this->yellow->toolbox->isVisibleLocation($this->location, $this->fileName,
$this->yellow->config->get("contentDir"));
@ -386,10 +388,10 @@ class YellowPage
$this->set("sitename", $this->yellow->config->get("sitename"));
$this->set("author", $this->yellow->config->get("author"));
$this->set("language", $this->yellow->config->get("language"));
$this->set("template", $this->yellow->toolbox->findNameFromFile($this->fileName,
$this->yellow->config->get("templateDir"), $this->yellow->config->get("template"), ".php"));
$this->set("style", $this->yellow->toolbox->findNameFromFile($this->fileName,
$this->yellow->config->get("styleDir"), $this->yellow->config->get("style"), ".css"));
$this->set("template", $this->yellow->toolbox->findNameFromFile($this->fileName,
$this->yellow->config->get("templateDir"), $this->yellow->config->get("template"), ".php"));
$this->set("parser", $this->yellow->config->get("parser"));
if(preg_match("/^(\-\-\-[\r\n]+)(.+?)([\r\n]+\-\-\-[\r\n]+)/s", $this->rawData, $parsed))
@ -1522,7 +1524,7 @@ class YellowToolbox
return $fileNames;
}
// Return file/template/style name from file path
// Return file/style/template name from file path
function findNameFromFile($fileName, $pathBase, $nameDefault, $fileExtension, $includeFileName = false)
{
$name = "";
@ -1546,10 +1548,6 @@ class YellowToolbox
// Normalise location, make absolute location
function normaliseLocation($location, $pageBase, $pageLocation, $filterStrict = true)
{
if($filterStrict)
{
if(preg_match("/^javascript:/i", $location)) $location = "xss";
}
if(!preg_match("/^\w+:/", html_entity_decode($location, ENT_QUOTES, "UTF-8")))
{
if(!preg_match("/^\//", $location))
@ -1560,6 +1558,8 @@ class YellowToolbox
{
$location = $pageBase.$location;
}
} else {
if($filterStrict && !preg_match("/^(http|https|ftp|mailto):/", $location)) $location = "error-xss-filter";
}
return $location;
}