From 49883b131cd8be23396bcabfb946661bdf1a9b29 Mon Sep 17 00:00:00 2001 From: Michel Fortin Date: Thu, 5 Jun 2008 09:38:46 -0400 Subject: [PATCH 1/4] Now cleaning up input of any \x1A character to avoid potential issues with "hashed" values. --- markdown.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/markdown.php b/markdown.php index 7edd6a3..4b072fb 100644 --- a/markdown.php +++ b/markdown.php @@ -275,8 +275,8 @@ class Markdown_Parser { # $this->setup(); - # Remove UTF-8 BOM, if present. - $text = preg_replace('{^\xEF\xBB\xBF}', '', $text); + # Remove UTF-8 BOM and marker character in input, if present. + $text = preg_replace('{^\xEF\xBB\xBF|\x1A}', '', $text); # Standardize line endings: # DOS to Unix and Mac to Unix From 1e69a0958527d5c8c9fc334a0b945bb12e3401ce Mon Sep 17 00:00:00 2001 From: Michel Fortin Date: Thu, 5 Jun 2008 22:06:54 -0400 Subject: [PATCH 2/4] Clarified documentation comment for encodeAttribute. --- markdown.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/markdown.php b/markdown.php index 4b072fb..b6af91b 100644 --- a/markdown.php +++ b/markdown.php @@ -1242,7 +1242,8 @@ class Markdown_Parser { function encodeAttribute($text) { # - # Encode text for a double-quoted HTML attribute. + # Encode text for a double-quoted HTML attribute. This function + # is *not* suitable for attributes enclosed in single quotes. # $text = $this->encodeAmpsAndAngles($text); $text = str_replace('"', '"', $text); From ef6e25229ded9936d0c47186b037a9d52f14e55b Mon Sep 17 00:00:00 2001 From: Michel Fortin Date: Thu, 5 Jun 2008 22:08:11 -0400 Subject: [PATCH 3/4] Added preg_quote in handling of code span tokens in handleSpanToken to satisfy the security paranoid. --- markdown.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/markdown.php b/markdown.php index b6af91b..b8991e2 100644 --- a/markdown.php +++ b/markdown.php @@ -1409,7 +1409,7 @@ class Markdown_Parser { return $this->hashPart("&#". ord($token{1}). ";"); case "`": # Search for end marker in remaining text. - if (preg_match('/^(.*?[^`])'.$token.'(?!`)(.*)$/sm', + if (preg_match('/^(.*?[^`])'.preg_quote($token).'(?!`)(.*)$/sm', $str, $matches)) { $str = $matches[2]; From 19d69e9018f7c404d820044e0dd04354ce30dba9 Mon Sep 17 00:00:00 2001 From: Michel Fortin Date: Thu, 5 Jun 2008 22:18:57 -0400 Subject: [PATCH 4/4] Removed double attribute encoding for by-reference URLs and titles. --- markdown.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/markdown.php b/markdown.php index b8991e2..39a5fb7 100644 --- a/markdown.php +++ b/markdown.php @@ -347,9 +347,8 @@ class Markdown_Parser { } function _stripLinkDefinitions_callback($matches) { $link_id = strtolower($matches[1]); - $this->urls[$link_id] = $this->encodeAttribute($matches[2]); - if (isset($matches[3])) - $this->titles[$link_id] = $this->encodeAttribute($matches[3]); + $this->urls[$link_id] = $matches[2]; + $this->titles[$link_id] =& $matches[3]; return ''; # String that will replace the block } @@ -828,10 +827,11 @@ class Markdown_Parser { $alt_text = $this->encodeAttribute($alt_text); if (isset($this->urls[$link_id])) { - $url = $this->urls[$link_id]; + $url = $this->encodeAttribute($this->urls[$link_id]); $result = "\"$alt_text\"";titles[$link_id])) { $title = $this->titles[$link_id]; + $title = $this->encodeAttribute($title); $result .= " title=\"$title\""; } $result .= $this->empty_element_suffix;