Serious issues with parsing Markdown

Alanaktion / phproject

A high performance full-featured project management system

https://www.phproject.org

GNU General Public License v3.0

387 stars 106 forks source link

Serious issues with parsing Markdown #380

Closed Backpackstudio closed 5 years ago

Backpackstudio commented 5 years ago

There are serious issues with parsing Markdown. Especially when text contains links.

Markdown parsing fails totally.

But when I click on preview, text is generated correctly.

Backpackstudio commented 5 years ago

My first trackdown leads to here:

\Helper\View::instance()->render()

Error should happen inside of this method.

Backpackstudio commented 5 years ago

Probably its happens somewhere there:

    /**
     * Passes a string through the Markdown parser
     * @param  string $str
     * @return string
     */
    protected function _parseMarkdown($str, $escape = true)
    {
        $mkd = new \Parsedown();
        $mkd->setUrlsLinked(false);
        $mkd->setMarkupEscaped($escape);
        return $mkd->text($str);
    }

Backpackstudio commented 5 years ago

If I validete entered text there: https://parsedown.org/demo, then text is generated as supposed. Also I have the latest stable version of Parsedown installed.

I did composer update just for case too:

composer update
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 0 installs, 6 updates, 0 removals
  - Updating paragonie/random_compat (v2.0.17 => v2.0.18): Downloading (100%)
  - Updating netcarver/textile (v3.7.0 => v3.7.3): Downloading (100%)
  - Updating erusev/parsedown (1.7.1 => 1.7.3): Downloading (100%)
  - Updating neos/diff (3.3.16 => 3.3.23): Downloading (100%)
  - Updating symfony/polyfill (v1.10.0 => v1.12.0): Downloading (100%)
  - Updating symfony/intl (v3.4.20 => v3.4.31): Downloading (100%)
Writing lock file
Generating autoload files

Backpackstudio commented 5 years ago

After some debugging is obious, that error occurs somewhere in method parseText (class View extends \Template).

public function parseText($str, $options = array(), $ttl = null)

Output of this method is invalid.

Backpackstudio commented 5 years ago

Current tracedown shows that valid HTML is genereated by _parseMarkdown. HTML is messed up somwhere late in method parseText

        if ($options["markdown"]) {
            $str = $this->_parseMarkdown($str);
        }

Variable $str contains proper HTML after that call.

Backpackstudio commented 5 years ago

Content is valid also after _parseUrls call.

        if ($options["urls"]) {
            $str = $this->_parseUrls($str);
        }

Backpackstudio commented 5 years ago

Content is invalid after xss_clean call (view.php).

$str = $antiXss->xss_clean($str);

Backpackstudio commented 5 years ago

After updating anti-xss from original source, text is parsed correctly!

https://github.com/voku/anti-xss

You have to replace content of vendor/voku/anti-xss/src/voku/helper with new version.

Also please note that it comes now with /anti-xss/src/voku/helper/data/entities_fallback.php

Backpackstudio commented 5 years ago

Latest voku/anti-xss is 4.1.14, but your composer.lock has locked it on 2.3.1!!

Backpackstudio commented 5 years ago

Also voku/portable-utf8 requires an update.

Alanaktion commented 5 years ago

This should be fixed in a6a51a9bea6e891130e771326e8bedf20bf7997f, which will be included in a release soon.