Implement support for backend.allow_unsafe_markdown and improve support for Swoole

Luke Towers · Luke Towers · commit 6ae19a6e16ef · 2020-05-25T18:05:13.000-06:00
diff --git a/formwidgets/BlogMarkdown.php b/formwidgets/BlogMarkdown.php
@@ -20,6 +20,9 @@
  */
 class BlogMarkdown extends MarkdownEditor
 {
+    /**
+     * {@inheritDoc}
+     */
     public function init()
     {
         $this->viewPath = base_path().'/modules/backend/formwidgets/markdowneditor/partials';
@@ -29,12 +32,28 @@ public function init()
         parent::init();
     }
 
+    /**
+     * {@inheritDoc}
+     */
     protected function loadAssets()
     {
         $this->assetPath = '/modules/backend/formwidgets/markdowneditor/assets';
         parent::loadAssets();
     }
 
+    /**
+     * Disable HTML cleaning on the widget level since the PostModel will handle it
+     *
+     * @return boolean
+     */
+    protected function shouldCleanHtml()
+    {
+        return false;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
     public function onRefresh()
     {
         $content = post($this->formField->getName());
@@ -46,6 +65,11 @@ public function onRefresh()
         ];
     }
 
+    /**
+     * Handle images being uploaded to the blog post
+     *
+     * @return void
+     */
     protected function checkUploadPostback()
     {
         if (!post('X_BLOG_IMAGE_UPLOAD')) {
@@ -90,11 +114,9 @@ protected function checkUploadPostback()
             ];
 
             $response = Response::make()->setContent($result);
-            $response->send();
+            $this->controller->setResponse($response);
 
-            die();
-        }
-        catch (Exception $ex) {
+        } catch (Exception $ex) {
             $message = $uploadedFileName
                 ? Lang::get('cms::lang.asset.error_uploading_file', ['name' => $uploadedFileName, 'error' => $ex->getMessage()])
                 : $ex->getMessage();
@@ -105,9 +127,7 @@ protected function checkUploadPostback()
             ];
 
             $response = Response::make()->setContent($result);
-            $response->send();
-
-            die();
+            $this->controller->setResponse($response);
         }
     }
 }
diff --git a/models/Post.php b/models/Post.php
@@ -189,6 +189,12 @@ public static function formatHtml($input, $preview = false)
     {
         $result = Markdown::parse(trim($input));
 
+        // Check to see if the HTML should be cleaned from potential XSS
+        $user = BackendAuth::getUser();
+        if (!$user || !$user->hasAccess('backend.allow_unsafe_markdown')) {
+            $result = Html::clean($result);
+        }
+
         if ($preview) {
             $result = str_replace('<pre>', '<pre class="prettyprint">', $result);
         }

Original file line number	Diff line number	Diff line change
`@@ -189,6 +189,12 @@ public static function formatHtml($input, $preview = false)`
`189`	`189`	`{`
`190`	`190`	`$result = Markdown::parse(trim($input));`
`191`	`191`
	`192`	`+ // Check to see if the HTML should be cleaned from potential XSS`
	`193`	`+ $user = BackendAuth::getUser();`
	`194`	`+ if (!$user \|\| !$user->hasAccess('backend.allow_unsafe_markdown')) {`
	`195`	`+ $result = Html::clean($result);`
	`196`	`+ }`
	`197`	`+`
`192`	`198`	`if ($preview) {`
`193`	`199`	`$result = str_replace('<pre>', '<pre class="prettyprint">', $result);`
`194`	`200`	`}`