Skip to content
This repository was archived by the owner on Aug 6, 2020. It is now read-only.

Fenced code: Some combinations of newlines and closing php tag do not html-escape characters #4

Open
asartalo opened this issue Dec 1, 2011 · 9 comments
Open

Fenced code: Some combinations of newlines and closing php tag do not html-escape characters #4

asartalo opened this issue Dec 1, 2011 · 9 comments
Labels
Security

Comments

@asartalo
Copy link

asartalo commented Dec 1, 2011

The following text will render okay:

```php
<?php
// some code
$foo->bar();
?>
```

But this doesn't:

```php
<?php
// some code

$foo->bar();
?>
```

And produce this unescaped output

<pre><code class="language-php"><?php
// some code

$foo->bar();
?>
</code></pre>
@egil
Copy link
Owner

egil commented Dec 1, 2011

This is definitely a security problem that needs fixing. Thanks for pointing this out. Cheers, Egil.

@ziz
Copy link

ziz commented Apr 30, 2013

This appears to be related to an inconvenient overlap between the Markdown Extra and Markdown Extended parsers and backtick-fenced code blocks versus backtick-enclosed code spans. We've made a change (crowdfavorite/php-markdown-extra-extended@92612c0) that I believe addresses the behavior properly in Extended mode while leaving the Extra mode parsing untouched, and I cannot at this time speak to the proper behavior of Extra in similar situations.

This was referenced Apr 30, 2013
Closed
Closed
@metude
Copy link

metude commented Jun 19, 2013

I think issue still remains. If render below in Markdown Extended parser it returns empty.

In DOM above code comes with comment line;

<!--?php
$time = microtime();
$time = explode(' ', $time);
$time = $time[1] + $time[0];
$start = $time;
?-->

@clphillips
Copy link

This is definitely still an issue.

@egil
Copy link
Owner

egil commented Oct 22, 2013

I do not have any free time to contribute to this project the foreseeable future. If anybody can contribute a fix I will be happy to merge it into the project.

nazar-pc added a commit to nazar-pc/php-markdown-next that referenced this issue Nov 10, 2013
@nazar-pc
Fixed issue with new line in fenced code block.
82489d4 
egil/php-markdown-extra-extended#4
@nazar-pc
Copy link

This bug is solved in my fork: PHP Markdown Next
Actually, solution is simple:
in _hashHTMLBlocks_inMarkdown method, "Check for: Code span marker", replace

$tag[0] == '`'

by

$tag[0] == '`' && $tag[1] !== '`'

@clphillips
Copy link

@nazar-pc With your fix, instead of:

<pre><code class="language-php">&lt;?php
echo "hello world";
?&gt;
</code></pre>

I get:

<pre><code class="language-php"><!--?php
echo "hello world";
?-->
</code></pre>

Looks like unwarranted comment blocks, as @metude pointed out, is still an issue.

@nazar-pc
Copy link

Sorry, looks like I have another realization of doFencedCodeBlocks method.
Try my parser, it doesn't differ much from this one, but works correctly and a little bit faster.
If you need this parser - look at doFencedCodeBlocks method from my fork for the solution.

@clphillips
Copy link

Thanks @nazar-pc will checkout your fork.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ziz @egil @metude @asartalo @clphillips @nazar-pc