Markdown update (safe mode)

README.md

@@ -1,4 +1,4 @@
-Yellow 0.3.17
+Yellow 0.3.18
 =============
 Yellow is for people who make websites. [Visit website](http://datenstrom.se/yellow).
 

system/config/config.ini

@@ -3,9 +3,8 @@
 sitename = Yellow
 author = Yellow
 language = en
-template = default
 style = default
-parser = markdownextra
+template = default
 
 // serverScheme = http
 // serverName = your.domain.name
@@ -26,11 +25,12 @@ contentDir = content/
 contentHomeDir = home/
 contentDefaultFile = page.txt
 contentPagination = page
-contentHtmlFilter = 0
 contentExtension = .txt
 configExtension = .ini
 errorPageFile = error(.*).txt
 textStringFile = text(.*).ini
+parser = markdownextra
+parserSafeMode = 0
 webinterfaceLocation = /edit/
 webinterfaceServerScheme = http
 webinterfaceUserHashAlgorithm = bcrypt

system/core/core-markdownextra.php

@@ -5,7 +5,7 @@
 // Markdown extra core plugin
 class YellowMarkdownExtra
 {
-	const Version = "0.3.10";
+	const Version = "0.3.11";
 	var $yellow;		//access to API
 	
 	// Handle plugin initialisation
@@ -34,12 +34,12 @@ class YellowMarkdownExtraParser extends MarkdownExtraParser
 		$this->yellow = $yellow;
 		$this->page = $page;
 		$this->idAttributes = array();
-		$this->no_markup = (bool)$this->yellow->config->get("contentHtmlFilter");
-		$this->no_entities = (bool)$this->yellow->config->get("contentHtmlFilter");
+		$this->no_markup = $page->parserSafeMode;
+		$this->no_entities = $page->parserSafeMode;
 		$this->url_filter_func = function($url) use ($yellow, $page)
 		{
 			return $yellow->toolbox->normaliseLocation($url, $page->base, $page->location,
-				(bool)$yellow->config->get("contentHtmlFilter") && $page->statusCode!=424);
+				$page->parserSafeMode && $page->statusCode==200);
 		};
 		parent::__construct();
 	}
@@ -2947,6 +2947,11 @@ class MarkdownExtraParser extends MarkdownParser {
 			}xm',
 			array($this, '_processDefListItems_callback_dd'), $list_str);
 
+		# Catch unescaped text, security bugfix for https://github.com/michelf/php-markdown/issues/175
+		if(preg_match("/^(?!\n<dt>)(.*?)(<dd>.*)$/s", $list_str, $matches))
+		{
+			$list_str = "<dt>".$this->runSpanGamut($matches[1])."</dt>\n".$matches[2];
+		}
 		return $list_str;
 	}
 	protected function _processDefListItems_callback_dt($matches) {

system/core/core-webinterface.php

@@ -5,7 +5,7 @@
 // Web interface core plugin
 class YellowWebinterface
 {
-	const Version = "0.3.6";
+	const Version = "0.3.7";
 	var $yellow;				//access to API
 	var $users;					//web interface users
 	var $active;				//web interface is active? (boolean)
@@ -103,10 +103,11 @@ class YellowWebinterface
 			$header .= "// <![CDATA[\n";
 			if($this->isUser())
 			{
-				$header .= "yellow.page.userPermission = " .json_encode($this->userPermission).";\n";
+				$header .= "yellow.page.userPermission = ".json_encode($this->userPermission).";\n";
 				$header .= "yellow.page.rawDataSource = ".json_encode($this->rawDataSource).";\n";
 				$header .= "yellow.page.rawDataEdit = ".json_encode($this->rawDataEdit).";\n";
 				$header .= "yellow.page.rawDataNew = ".json_encode($this->getDataNew()).";\n";
+				$header .= "yellow.page.parserSafeMode = ".json_encode($page->parserSafeMode).";\n";
 				$header .= "yellow.page.statusCode = ".json_encode($page->statusCode).";\n";
 			}
 			$header .= "yellow.config = ".json_encode($this->getDataConfig()).";\n";

system/core/core.php

@@ -5,7 +5,7 @@
 // Yellow main class
 class Yellow
 {
-	const Version = "0.3.17";
+	const Version = "0.3.18";
 	var $page;				//current page
 	var $pages;				//pages from file system
 	var $config;			//configuration
@@ -23,9 +23,8 @@ class Yellow
 		$this->config->setDefault("sitename", "Yellow");
 		$this->config->setDefault("author", "Yellow");
 		$this->config->setDefault("language", "en");
-		$this->config->setDefault("template", "default");
 		$this->config->setDefault("style", "default");
-		$this->config->setDefault("parser", "markdownextra");
+		$this->config->setDefault("template", "default");
 		$this->config->setDefault("serverScheme", $this->toolbox->getServerScheme());
 		$this->config->setDefault("serverName", $this->toolbox->getServerName());
 		$this->config->setDefault("serverBase", $this->toolbox->getServerBase());
@@ -44,12 +43,13 @@ class Yellow
 		$this->config->setDefault("contentHomeDir", "home/");
 		$this->config->setDefault("contentDefaultFile", "page.txt");
 		$this->config->setDefault("contentPagination", "page");
-		$this->config->setDefault("contentHtmlFilter", "0");
 		$this->config->setDefault("contentExtension", ".txt");
 		$this->config->setDefault("configExtension", ".ini");
 		$this->config->setDefault("configFile", "config.ini");
 		$this->config->setDefault("errorPageFile", "error(.*).txt");
 		$this->config->setDefault("textStringFile", "text(.*).ini");
+		$this->config->setDefault("parser", "markdownextra");
+		$this->config->setDefault("parserSafeMode", "0");
 		$this->config->load($this->config->get("configDir").$this->config->get("configFile"));
 		$this->text->load($this->config->get("configDir").$this->config->get("textStringFile"));
 		$this->updateConfig();
@@ -329,6 +329,7 @@ class YellowPage
 	var $headerData;			//response header
 	var $parserData;			//content data of page
 	var $parser;				//content parser
+	var $parserSafeMode;		//page is parsed in safe mode? (boolean)
 	var $active;				//page is active location? (boolean)
 	var $visible;				//page is visible location? (boolean)
 	var $cacheable;				//page is cacheable? (boolean)
@@ -351,6 +352,7 @@ class YellowPage
 	function parseData($rawData, $cacheable, $statusCode, $pageError = "")
 	{
 		$this->rawData = $rawData;
+		$this->parserSafeMode = $this->yellow->config->get("parserSafeMode");
 		$this->active = $this->yellow->toolbox->isActiveLocation($this->location, $this->yellow->page->location);
 		$this->visible = $this->yellow->toolbox->isVisibleLocation($this->location, $this->fileName,
 			$this->yellow->config->get("contentDir"));
@@ -386,10 +388,10 @@ class YellowPage
 		$this->set("sitename", $this->yellow->config->get("sitename"));
 		$this->set("author", $this->yellow->config->get("author"));
 		$this->set("language", $this->yellow->config->get("language"));
-		$this->set("template", $this->yellow->toolbox->findNameFromFile($this->fileName,
-			$this->yellow->config->get("templateDir"), $this->yellow->config->get("template"), ".php"));
 		$this->set("style", $this->yellow->toolbox->findNameFromFile($this->fileName,
 			$this->yellow->config->get("styleDir"), $this->yellow->config->get("style"), ".css"));
+		$this->set("template", $this->yellow->toolbox->findNameFromFile($this->fileName,
+			$this->yellow->config->get("templateDir"), $this->yellow->config->get("template"), ".php"));
 		$this->set("parser", $this->yellow->config->get("parser"));
 		
 		if(preg_match("/^(\-\-\-[\r\n]+)(.+?)([\r\n]+\-\-\-[\r\n]+)/s", $this->rawData, $parsed))
@@ -1522,7 +1524,7 @@ class YellowToolbox
 		return $fileNames;
 	}
 	
-	// Return file/template/style name from file path
+	// Return file/style/template name from file path
 	function findNameFromFile($fileName, $pathBase, $nameDefault, $fileExtension, $includeFileName = false)
 	{
 		$name = "";
@@ -1546,10 +1548,6 @@ class YellowToolbox
 	// Normalise location, make absolute location
 	function normaliseLocation($location, $pageBase, $pageLocation, $filterStrict = true)
 	{
-		if($filterStrict)
-		{
-			if(preg_match("/^javascript:/i", $location)) $location = "xss";
-		}
 		if(!preg_match("/^\w+:/", html_entity_decode($location, ENT_QUOTES, "UTF-8")))
 		{
 			if(!preg_match("/^\//", $location))
@@ -1560,6 +1558,8 @@ class YellowToolbox
 			{
 				$location = $pageBase.$location;
 			}
+		} else {
+			if($filterStrict && !preg_match("/^(http|https|ftp|mailto):/", $location)) $location = "error-xss-filter";
 		}
 		return $location;
 	}