From 05d2707d501b7b1cdd98b0802121e69a6df7d05d Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 2 Nov 2020 11:02:08 -0500 Subject: [PATCH] [markdown] Escape mentions which username can contain Markdown-like syntax --- markdown/markdown.php | 35 +++++++++++++---------------------- 1 file changed, 13 insertions(+), 22 deletions(-) diff --git a/markdown/markdown.php b/markdown/markdown.php index f02bc2a01..4f12e7137 100644 --- a/markdown/markdown.php +++ b/markdown/markdown.php @@ -47,26 +47,17 @@ function markdown_post_local_start(App $a, &$request) { return; } - // Elements that shouldn't be parsed - $elements = ['code', 'noparse', 'nobb', 'pre', 'share', 'url', 'img', 'bookmark', - 'audio', 'video', 'youtube', 'vimeo', 'attachment', 'iframe', 'map', 'mail']; - foreach ($elements as $element) { - $request['body'] = preg_replace_callback("/\[" . $element . "(.*?)\](.*?)\[\/" . $element . "\]/ism", - function ($match) use ($element) { - return '[' . $element . '-b64' . base64_encode($match[1]) . ']' . base64_encode($match[2]) . '[/b64-' . $element . ']'; - }, - $request['body'] - ); - } - - $request['body'] = Markdown::toBBCode($request['body']); - - foreach (array_reverse($elements) as $element) { - $request['body'] = preg_replace_callback("/\[" . $element . "-b64(.*?)\](.*?)\[\/b64-" . $element . "\]/ism", - function ($match) use ($element) { - return '[' . $element . base64_decode($match[1]) . ']' . base64_decode($match[2]) . '[/' . $element . ']'; - }, - $request['body'] - ); - } + // Escape elements that shouldn't be parsed + $request['body'] = \Friendica\Content\Text\BBCode::performWithEscapedTags( + $request['body'], + ['code', 'noparse', 'nobb', 'pre', 'share', 'url', 'img', 'bookmark', + 'audio', 'video', 'youtube', 'vimeo', 'attachment', 'iframe', 'map', 'mail'], + function ($body) { + // Escape mentions which username can contain Markdown-like characters + // See https://github.com/friendica/friendica/issues/9486 + return \Friendica\Util\Strings::performWithEscapedBlocks($body, '/[@!][^@\s]+@[^\s]+\w/', function ($text) { + return Markdown::toBBCode($text); + }); + } + ); }