php-markdown-extra-extended icon indicating copy to clipboard operation
php-markdown-extra-extended copied to clipboard

Published 20 hours ago verified publisher icon egil

Fenced code: Some combinations of newlines and closing php tag do not html-escape characters

Open asartalo opened this issue 13 years ago • 9 comments
trafficstars

The following text will render okay:

```php
<?php
// some code
$foo->bar();
?>
```

But this doesn't:

```php
<?php
// some code

$foo->bar();
?>
```

And produce this unescaped output

<pre><code class="language-php"><?php
// some code

$foo->bar();
?>
</code></pre>

asartalo avatar Dec 01 '11 07:12 asartalo

This is definitely a security problem that needs fixing. Thanks for pointing this out. Cheers, Egil.

egil avatar Dec 01 '11 19:12 egil

This appears to be related to an inconvenient overlap between the Markdown Extra and Markdown Extended parsers and backtick-fenced code blocks versus backtick-enclosed code spans. We've made a change (crowdfavorite/php-markdown-extra-extended@92612c0) that I believe addresses the behavior properly in Extended mode while leaving the Extra mode parsing untouched, and I cannot at this time speak to the proper behavior of Extra in similar situations.

ziz avatar Apr 30 '13 21:04 ziz

I think issue still remains. If render below in Markdown Extended parser it returns empty.

In DOM above code comes with comment line;

<!--?php
$time = microtime();
$time = explode(' ', $time);
$time = $time[1] + $time[0];
$start = $time;
?-->

metude avatar Jun 19 '13 11:06 metude

This is definitely still an issue.

clphillips avatar Aug 19 '13 18:08 clphillips

I do not have any free time to contribute to this project the foreseeable future. If anybody can contribute a fix I will be happy to merge it into the project.

egil avatar Oct 22 '13 10:10 egil

This bug is solved in my fork: PHP Markdown Next Actually, solution is simple: in _hashHTMLBlocks_inMarkdown method, "Check for: Code span marker", replace

$tag[0] == '`'

by

$tag[0] == '`' && $tag[1] !== '`'

nazar-pc avatar Nov 10 '13 23:11 nazar-pc

@nazar-pc With your fix, instead of:

<pre><code class="language-php">&lt;?php
echo "hello world";
?&gt;
</code></pre>

I get:

<pre><code class="language-php"><!--?php
echo "hello world";
?-->
</code></pre>

Looks like unwarranted comment blocks, as @metude pointed out, is still an issue.

clphillips avatar Nov 11 '13 16:11 clphillips

Sorry, looks like I have another realization of doFencedCodeBlocks method. Try my parser, it doesn't differ much from this one, but works correctly and a little bit faster. If you need this parser - look at doFencedCodeBlocks method from my fork for the solution.

nazar-pc avatar Nov 11 '13 16:11 nazar-pc

Thanks @nazar-pc will checkout your fork.

clphillips avatar Nov 11 '13 16:11 clphillips