Cross-Site Scripting

I’ve picked up on the work started over at #276 and rebased on erusev/master. Since this is rebased on master, I can’t point at PR at naNuke/master without running into the merge conflicts that I’ve already resolved manually. I’ve implemented what I suggested earlier so that all attributes are properly encoded (and not just the specific ones we remember). I’ve also added some tests, so @erusev’s concern here should hopefully now be resolved, albeit a year later 😉 #276 (comment) @malas one reason is the lack of tests One thing to note is that all this can be circumvented if you forget to turn on $Parsedown->setMarkupEscaped(true); (which is off by default) as you could just write a script tag manually for xss (even though the attributes and link destinations will be safe). So let’s all remember to enable this setting 😉 Attributes are now always escaped properly (this speaks to just outputting things correctly), but link based XSS or XSS from writing plain old script tags will only be prevented only if the new setSafeMode is enabled. $Parsedown->setSafeMode(true); Closes #161 Closes #497 Closes #276 Closes #403 Closes #530 The following CVE has been assigned to the vulnerability specific to bypassing ->setMarkupEscaped(true): CVE-2018-1000162.