Add ablity to opt-out of iframe escaping

calebporzio · Mar 6, 2019 · a5f7cd2 · a5f7cd2
1 parent e3f5a61
commit a5f7cd2
Show file tree

Hide file tree

Showing 5 changed files with 96 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -75,19 +75,36 @@ GitDown::parseAndCache($markdown, function ($parse) {
 });
 ```
 
+## Allowing Iframes
+By default, GitHub sanitizes HTML tags it deems "unsafe" like `<iframe>`s. However, it's common to embed video or audio into your markdown with `<iframe>`s.
+
+GitDown can intelligently preserve your iframes by setting the `allowIframes` config option in `config/gitdown.php` to `true`.
+
+```php
+"allowIframes" => true,
+```
+
 ## Non-Laravel Usage
 You can set a GitHub Personal Access Token by passing it into the `GitDown`'s constructor.
 `new GitDown\GitDown($token)`
 
 ```php
-(new GitDown\GitDown($token))->parse($markdown);
+// You can pass config options into the constructur:
+$gitDown = new GitDown\GitDown(
+    $token = 'foo',
+    $context = 'your/repo',
+    $allowIframes = false
+);
+
+$gitDown->parse($markdown);
 
 // Pass in your own custom caching strategy.
-(new GitDown\GitDown($token))->parseAndCache($markdown, function ($parse) {
+$gitDown->parseAndCache($markdown, function ($parse) {
     return Cache::rememberForever(sha1($markdown), function () use ($parse) {
         return $parse();
     });
 });
+
 ```
 
 ## Markdown/Syntax CSS

diff --git a/src/GitDown.php b/src/GitDown.php
@@ -8,21 +8,34 @@ class GitDown
 {
     protected $token;
     protected $context;
+    protected $allowIframes;
 
-    public function __construct($token = null, $context = null)
+    public function __construct($token = null, $context = null, $allowIframes = false)
     {
         $this->token = $token;
         $this->context = $context;
+        $this->allowIframes = $allowIframes;
     }
 
     public function setToken($token)
     {
         $this->token = $token;
+
+        return $this;
     }
 
-    public function setContext($token)
+    public function setContext($context)
     {
         $this->context = $context;
+
+        return $this;
+    }
+
+    public function withIframes()
+    {
+        $this->allowIframes = true;
+
+        return $this;
     }
 
     public function parse($content)
@@ -31,14 +44,48 @@ public function parse($content)
             'User-Agent' => 'GitDown Plugin',
         ] + ($this->token ? ['Authorization' => 'token '.$this->token] : []))
         ->post('https://api.github.com/markdown', [
-            'text' => $content,
+            'text' => $this->encryptIframeTags($content),
         ] + ($this->context ? ['mode' => 'gfm', 'context' => $this->context] : []));
 
         if (! $response->isOk()) {
             throw new \Exception('GitHub API Error: ' . $response->body());
         }
 
-        return (string) $response;
+        return $this->decryptIframeTags((string) $response);
+    }
+
+    public function encryptIframeTags($input)
+    {
+        if (! $this->allowIframes) {
+            return $input;
+        }
+
+        if (! preg_match_all('/<iframe[^>]*?(?:\/>|>[^<]*?<\/iframe>)/', $input, $matches)) {
+            return $input;
+        };
+
+        foreach ($matches[0] as $match) {
+            $input = str_replace($match, '\[iframe\]'. base64_encode($match).'\[endiframe\]', $input);
+        }
+
+        return $input;
+    }
+
+    public function decryptIframeTags($input)
+    {
+        if (! $this->allowIframes) {
+            return $input;
+        }
+
+        if (! preg_match_all('/\[iframe\].*\[endiframe\]/', $input, $matches)) {
+            return $input;
+        };
+
+        foreach ($matches[0] as $match) {
+            $input = str_replace($match, base64_decode(ltrim(rtrim($match, '[endiframe]'), '[iframe]')), $input);
+        }
+
+        return $input;
     }
 
     public function parseAndCache($content, $minutes = null)

diff --git a/src/GitDownServiceProvider.php b/src/GitDownServiceProvider.php
@@ -10,7 +10,11 @@ class GitDownServiceProvider extends ServiceProvider
     public function register()
     {
         app()->singleton('gitdown', function () {
-            return new GitDown(config('gitdown.token'));
+            return new GitDown(
+                config('gitdown.token'),
+                config('gitdown.context'),
+                config('gitdown.allowIframes')
+            );
         });
     }
 

diff --git a/src/config-stub.php b/src/config-stub.php
@@ -28,4 +28,17 @@
 
     'context' => null,
 
+    /*
+    |--------------------------------------------------------------------------
+    | Allow Iframes
+    |--------------------------------------------------------------------------
+    |
+    | By default, GitHub escapes any HTML tags it deems "unsafe" while parsing.
+    | For example, passing in a string like "<iframe></iframe>" will output
+    | "&lt;iframe&gt;&lt;/iframe&gt;". This config will work-around this.
+    |
+    */
+
+    'allowIframes' => false,
+
 ];
diff --git a/tests/GitDownTest.php b/tests/GitDownTest.php
@@ -47,4 +47,12 @@ protected function cacheStrategy(&$callCount)
             }
         };
     }
+
+    /** @test */
+    public function parsed_html_preserves_iframes()
+    {
+        $parsed = (new GitDown(null, null, $allowIframes = true))->parse('<iframe></iframe>');
+
+        $this->assertEquals('<p><iframe></iframe></p>', trim($parsed));
+    }
 }