Add rawHtml without using it (extensions may opt-in)

erusev · Dec 30, 2019 · add8d18 · add8d18
1 parent 7073ac3
commit add8d18
Show file tree

Hide file tree

Showing 3 changed files with 97 additions and 3 deletions.
diff --git a/Parsedown.php b/Parsedown.php
@@ -1489,22 +1489,41 @@ protected function element(array $Element)
             }
         }
 
+        $permitRawHtml = false;
+
         if (isset($Element['text']))
+        {
+            $text = $Element['text'];
+        }
+        // very strongly consider an alternative if you're writing an
+        // extension
+        elseif (isset($Element['rawHtml']))
+        {
+            $text = $Element['rawHtml'];
+            $allowRawHtmlInSafeMode = isset($Element['allowRawHtmlInSafeMode']) && $Element['allowRawHtmlInSafeMode'];
+            $permitRawHtml = !$this->safeMode || $allowRawHtmlInSafeMode;
+        }
+
+        if (isset($text))
         {
             $markup .= '>';
 
-            if (!isset($Element['nonNestables'])) 
+            if (!isset($Element['nonNestables']))
             {
                 $Element['nonNestables'] = array();
             }
 
             if (isset($Element['handler']))
             {
-                $markup .= $this->{$Element['handler']}($Element['text'], $Element['nonNestables']);
+                $markup .= $this->{$Element['handler']}($text, $Element['nonNestables']);
+            }
+            elseif (!$permitRawHtml)
+            {
+                $markup .= self::escape($text, true);
             }
             else
             {
-                $markup .= self::escape($Element['text'], true);
+                $markup .= $text;
             }
 
             $markup .= '</'.$Element['name'].'>';

diff --git a/test/ParsedownTest.php b/test/ParsedownTest.php
@@ -1,5 +1,7 @@
 <?php
 
+require 'SampleExtensions.php';
+
 use PHPUnit\Framework\TestCase;
 
 class ParsedownTest extends TestCase
@@ -55,6 +57,40 @@ function test_($test, $dir)
         $this->assertEquals($expectedMarkup, $actualMarkup);
     }
 
+    function testRawHtml()
+    {
+        $markdown = "```php\nfoobar\n```";
+        $expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
+        $expectedSafeMarkup = '<pre><code class="language-php">&lt;p&gt;foobar&lt;/p&gt;</code></pre>';
+
+        $unsafeExtension = new UnsafeExtension;
+        $actualMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedMarkup, $actualMarkup);
+
+        $unsafeExtension->setSafeMode(true);
+        $actualSafeMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
+    }
+
+    function testTrustDelegatedRawHtml()
+    {
+        $markdown = "```php\nfoobar\n```";
+        $expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
+        $expectedSafeMarkup = $expectedMarkup;
+
+        $unsafeExtension = new TrustDelegatedExtension;
+        $actualMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedMarkup, $actualMarkup);
+
+        $unsafeExtension->setSafeMode(true);
+        $actualSafeMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
+    }
+
     function data()
     {
         $data = array();

diff --git a/test/SampleExtensions.php b/test/SampleExtensions.php
@@ -0,0 +1,39 @@
+<?php
+
+class UnsafeExtension extends Parsedown
+{
+    protected function blockFencedCodeComplete($Block)
+    {
+        $text = $Block['element']['text']['text'];
+        unset($Block['element']['text']['text']);
+
+        // WARNING: There is almost always a better way of doing things!
+        //
+        // This example is one of them, unsafe behaviour is NOT needed here.
+        // Only use this if you trust the input and have no idea what
+        // the output HTML will look like (e.g. using an external parser).
+        $Block['element']['text']['rawHtml'] = "<p>$text</p>";
+
+        return $Block;
+    }
+}
+
+class TrustDelegatedExtension extends Parsedown
+{
+    protected function blockFencedCodeComplete($Block)
+    {
+        $text = $Block['element']['text']['text'];
+        unset($Block['element']['text']['text']);
+
+        // WARNING: There is almost always a better way of doing things!
+        //
+        // This behaviour is NOT needed in the demonstrated case.
+        // Only use this if you are sure that the result being added into
+        // rawHtml is safe.
+        // (e.g. using an external parser with escaping capabilities).
+        $Block['element']['text']['rawHtml'] = "<p>$text</p>";
+        $Block['element']['text']['allowRawHtmlInSafeMode'] = true;
+
+        return $Block;
+    }
+}