Allow HTML input in document content, but not comments

doshitan · doshitan · commit 4973bc3c7a32 · 2017-05-04T16:13:36.000-05:00
Summary: Documents will sometimes have structures we can't represent in Markdown directly, so we need to allow general HTML input as well. It's a dangerous thing to allow arbitrary HTML in comments though, so use a separate Markdown converter for those that strips HTML. Test Plan: - Put some HTML in the introtext and content of a document - Ensure it comes out the other side when rendered - Create a comment with some HTML in it - Ensure the HTML is stripped from the comment when rendered Reviewers: sethetter Reviewed By: sethetter Maniphest Tasks: T292 Differential Revision: https://phabricator.opengovfoundation.org/D178
diff --git a/app/Models/AnnotationTypes/Comment.php b/app/Models/AnnotationTypes/Comment.php
@@ -2,8 +2,8 @@
 
 namespace App\Models\AnnotationTypes;
 
+use App;
 use Cache;
-use GrahamCampbell\Markdown\Facades\Markdown;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\SoftDeletes;
 
@@ -39,7 +39,7 @@ public function getContentHtmlAttribute()
                 return Cache::get($cacheKey);
             }
 
-            $html = Markdown::convertToHtml($this->content);
+            $html = App::make('comment_markdown')->convertToHtml($this->content);
             Cache::forever($cacheKey, $html);
 
             return $html;
diff --git a/app/Providers/CommentMarkdownServiceProvider.php b/app/Providers/CommentMarkdownServiceProvider.php
@@ -0,0 +1,76 @@
+<?php
+
+namespace App\Providers;
+
+use Illuminate\Support\ServiceProvider;
+use League\CommonMark\Converter;
+use League\CommonMark\DocParser;
+use League\CommonMark\Environment;
+use League\CommonMark\HtmlRenderer;
+
+class CommentMarkdownServiceProvider extends ServiceProvider
+{
+    protected $defer = true;
+
+    /**
+     * Register the service provider.
+     *
+     * @return void
+     */
+    public function register()
+    {
+        $this->registerEnvironment();
+        $this->registerMarkdown();
+    }
+
+    /**
+     * Register the environment class.
+     *
+     * @return void
+     */
+    protected function registerEnvironment()
+    {
+        $this->app->singleton('comment_markdown.environment', function ($app) {
+            // make our normal markdown environment
+            $environment = Environment::createCommonMarkEnvironment();
+            $config = $app->config->get('markdown');
+            $environment->mergeConfig(array_except($config, ['extensions', 'views']));
+
+            // disable some things
+            $environment->mergeConfig([
+                'html_input' => 'strip',
+                'allow_unsafe_links' => false,
+            ]);
+
+            foreach ((array) array_get($config, 'extensions') as $extension) {
+                $environment->addExtension($app->make($extension));
+            }
+
+            return $environment;
+        });
+    }
+
+    /**
+     * Register the markdown class.
+     *
+     * @return void
+     */
+    protected function registerMarkdown()
+    {
+        $this->app->singleton('comment_markdown', function ($app) {
+            $environment = $app['comment_markdown.environment'];
+            $docParser = new DocParser($environment);
+            $htmlRenderer = new HtmlRenderer($environment);
+
+            return new Converter($docParser, $htmlRenderer);
+        });
+    }
+
+    public function provides()
+    {
+        return [
+            'comment_markdown.environment',
+            'comment_markdown',
+        ];
+    }
+}
diff --git a/config/app.php b/config/app.php
@@ -177,6 +177,7 @@
         App\Providers\AnnotationsServiceProvider::class,
         App\Providers\DocumentsServiceProvider::class,
         App\Config\SiteConfigServiceProvider::class,
+        App\Providers\CommentMarkdownServiceProvider::class,
 
         /**
          * Vendor Providers...
diff --git a/config/markdown.php b/config/markdown.php
@@ -0,0 +1,143 @@
+<?php
+
+/*
+ * This file is part of Laravel Markdown.
+ *
+ * (c) Graham Campbell <graham@alt-three.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Enable View Integration
+    |--------------------------------------------------------------------------
+    |
+    | This option specifies if the view integration is enabled so you can write
+    | markdown views and have them rendered as html. The following extensions
+    | are currently supported: ".md", ".md.php", and ".md.blade.php". You may
+    | disable this integration if it is conflicting with another package.
+    |
+    | Default: true
+    |
+    */
+
+    'views' => true,
+
+    /*
+    |--------------------------------------------------------------------------
+    | CommonMark Extensions
+    |--------------------------------------------------------------------------
+    |
+    | This option specifies what extensions will be automatically enabled.
+    | Simply provide your extension class names here.
+    |
+    | Default: []
+    |
+    */
+
+    'extensions' => [],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Renderer Configuration
+    |--------------------------------------------------------------------------
+    |
+    | This option specifies an array of options for rendering HTML.
+    |
+    | Default: [
+    |              'block_separator' => "\n",
+    |              'inner_separator' => "\n",
+    |              'soft_break'      => "\n",
+    |          ]
+    |
+    */
+
+    'renderer' => [
+        'block_separator' => "\n",
+        'inner_separator' => "\n",
+        'soft_break'      => "\n",
+    ],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Enable Em Tag Parsing
+    |--------------------------------------------------------------------------
+    |
+    | This option specifies if `<em>` parsing is enabled.
+    |
+    | Default: true
+    |
+    */
+
+    'enable_em' => true,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Enable Strong Tag Parsing
+    |--------------------------------------------------------------------------
+    |
+    | This option specifies if `<strong>` parsing is enabled.
+    |
+    | Default: true
+    |
+    */
+
+    'enable_strong' => true,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Enable Asterisk Parsing
+    |--------------------------------------------------------------------------
+    |
+    | This option specifies if `*` should be parsed for emphasis.
+    |
+    | Default: true
+    |
+    */
+
+    'use_asterisk' => true,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Enable Underscore Parsing
+    |--------------------------------------------------------------------------
+    |
+    | This option specifies if `_` should be parsed for emphasis.
+    |
+    | Default: true
+    |
+    */
+
+    'use_underscore' => true,
+
+    /*
+    |--------------------------------------------------------------------------
+    | HTML Input
+    |--------------------------------------------------------------------------
+    |
+    | This option specifies how to handle untrusted HTML input.
+    |
+    | Default: 'strip'
+    |
+    */
+
+    'html_input' => 'allow',
+
+    /*
+    |--------------------------------------------------------------------------
+    | Allow Unsafe Links
+    |--------------------------------------------------------------------------
+    |
+    | This option specifies whether to allow risky image URLs and links.
+    |
+    | Default: true
+    |
+    */
+
+    'allow_unsafe_links' => true,
+
+];
