When using Parsedown to parse the Markdown, some problems of XSS filtering were encountered.
It is found that Parsedown will 代码
escape HTML code in the area, 代码
but not outside the area, as shown in the following code
PHP
text($test);/** * 得到结果是: <script>alert('test')</script>
* * */
So,
this sentence has been successfully executed.
If that's the case, I'm going to escape it myself.
PHP
text($test);/** * 得到结果是: <script>alert('test')</script>
<script>alert('test')</script>
*/
Although XSS is filtered out, the 代码
content of the area is escaped two times .
Then I found that the SF Markdown seems to be on the back end of the parse good, such as this page, its part of the source code is as follows:
html
我现在的代码是这样的
<title>Untitled Document</title>
<script> function test(){ <?php $conn = mysql_connect("localhost", "username", "123123"); mysql_select_db("username", $conn); mysql_query("INSERT INTO ChargerTogether (Chat) VALUES ('test')"); $result= mysql_query("SELECT *FROM ChargerTogether"); echo "<p> {$result} </p>>"; ?> }</script>
<body>
<input type="button" onClick="javascript:test();">
</body>
但这样是错误的
我该怎样做呢
The escape here is doing very well.
I think of the solution is: first escape, and then use Parsedown to parse, and then the regular match the parsed
code, the reverse meaning (once).
Don't know if there are any better escape functions , or if there are other Markdown parsing classes that can filter XSS
P.S. I found a markdown-js on GitHub. With this thing, you can htmlspecialchars(()
output the escaped string directly into one textaera
, and it will parse correctly. Although I can hide the text box, but if you need to output a lot of Markdown (the post has a lot of replies), it is not a good solution ah!
Reply content:
When using Parsedown to parse the Markdown, some problems of XSS filtering were encountered.
It is found that Parsedown will 代码
escape HTML code in the area, 代码
but not outside the area, as shown in the following code
PHP
text($test);/** * 得到结果是: <script>alert('test')</script>
* * */
So,
this sentence has been successfully executed.
If that's the case, I'm going to escape it myself.
PHP
text($test);/** * 得到结果是: <script>alert('test')</script>
<script>alert('test')</script>
*/
Although XSS is filtered out, the 代码
content of the area is escaped two times .
Then I found that the SF Markdown seems to be on the back end of the parse good, such as this page, its part of the source code is as follows:
html
我现在的代码是这样的
<title>Untitled Document</title>
<script> function test(){ <?php $conn = mysql_connect("localhost", "username", "123123"); mysql_select_db("username", $conn); mysql_query("INSERT INTO ChargerTogether (Chat) VALUES ('test')"); $result= mysql_query("SELECT *FROM ChargerTogether"); echo "<p> {$result} </p>>"; ?> }</script>
<body>
<input type="button" onClick="javascript:test();">
</body>
但这样是错误的
我该怎样做呢
The escape here is doing very well.
I think of the solution is: first escape, and then use Parsedown to parse, and then the regular match the parsed
code, the reverse meaning (once).
Don't know if there are any better escape functions , or if there are other Markdown parsing classes that can filter XSS
P.S. I found a markdown-js on GitHub. With this thing, you can htmlspecialchars(()
output the escaped string directly into one textaera
, and it will parse correctly. Although I can hide the text box, but if you need to output a lot of Markdown (the post has a lot of replies), it is not a good solution ah!
Just put the Parsedown in the source code (a total of three) escaped statements (as shown below) to comment out,
PHP
$text = htmlspecialchars($text, ENT_NOQUOTES, 'UTF-8');
This sentence appears in the following three methods:
protected function blockCodeComplete($Block)
, protected function blockFencedCodeComplete($Block)
,protected function inlineCode($Excerpt)
And then modify it function text($text)
:
function text($text) { #添加下面这行 $text = htmlspecialchars($text, ENT_NOQUOTES, 'UTF-8'); # Code... }
This is a solution, but it may not be the most perfect solution, but also ask you to continue to provide a better solution ~
I also encountered this problem, and later found that as long as the code block outside the written can, so it will be converted into text.