From 9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746 Mon Sep 17 00:00:00 2001
From: Luke Towers <github@luketowers.ca>
Date: Mon, 25 May 2020 18:02:20 -0600
Subject: [PATCH] Add new backend.allow_unsafe_markdown permission

---
 modules/backend/ServiceProvider.php           |  8 +++-
 .../backend/formwidgets/MarkdownEditor.php    | 43 ++++++++++++++++---
 modules/backend/lang/en/lang.php              |  1 +
 3 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/modules/backend/ServiceProvider.php b/modules/backend/ServiceProvider.php
index 1a2dc4022..b0a5026f8 100644
--- a/modules/backend/ServiceProvider.php
+++ b/modules/backend/ServiceProvider.php
@@ -4,6 +4,7 @@ use App;
 use Backend;
 use BackendMenu;
 use BackendAuth;
+use Backend\Models\UserRole;
 use Backend\Classes\WidgetManager;
 use System\Classes\MailManager;
 use System\Classes\CombineAssets;
@@ -168,7 +169,12 @@ class ServiceProvider extends ModuleServiceProvider
                 'media.manage_media' => [
                     'label' => 'backend::lang.permissions.manage_media',
                     'tab' => 'system::lang.permissions.name',
-                ]
+                ],
+                'backend.allow_unsafe_markdown' => [
+                    'label' => 'backend::lang.permissions.allow_unsafe_markdown',
+                    'tab' => 'system::lang.permissions.name',
+                    'roles' => UserRole::CODE_DEVELOPER,
+                ],
             ]);
         });
     }
diff --git a/modules/backend/formwidgets/MarkdownEditor.php b/modules/backend/formwidgets/MarkdownEditor.php
index c8222e14a..d6ec6accb 100644
--- a/modules/backend/formwidgets/MarkdownEditor.php
+++ b/modules/backend/formwidgets/MarkdownEditor.php
@@ -1,7 +1,8 @@
 <?php namespace Backend\FormWidgets;
 
-use BackendAuth;
+use Html;
 use Markdown;
+use BackendAuth;
 use Backend\Classes\FormWidgetBase;
 
 /**
@@ -42,12 +43,12 @@ class MarkdownEditor extends FormWidgetBase
     //
 
     /**
-     * @inheritDoc
+     * {@inheritDoc}
      */
     protected $defaultAlias = 'markdown';
 
     /**
-     * @inheritDoc
+     * {@inheritDoc}
      */
     public function init()
     {
@@ -60,7 +61,7 @@ class MarkdownEditor extends FormWidgetBase
     }
 
     /**
-     * @inheritDoc
+     * {@inheritDoc}
      */
     public function render()
     {
@@ -84,7 +85,7 @@ class MarkdownEditor extends FormWidgetBase
     }
 
     /**
-     * @inheritDoc
+     * {@inheritDoc}
      */
     protected function loadAssets()
     {
@@ -93,6 +94,34 @@ class MarkdownEditor extends FormWidgetBase
         $this->addJs('/modules/backend/formwidgets/codeeditor/assets/js/build-min.js', 'core');
     }
 
+    /**
+     * Check to see if the generated HTML should be cleaned to remove any potential XSS
+     *
+     * @return boolean
+     */
+    protected function shouldCleanHtml()
+    {
+        $user = BackendAuth::getUser();
+        return !$user || !$user->hasAccess('backend.allow_unsafe_markdown');
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function getSaveValue($value)
+    {
+        if ($this->shouldCleanHtml()) {
+            $value = Html::clean($value);
+        }
+
+        return $value;
+    }
+
+    /**
+     * AJAX handler to render the markdown as HTML
+     *
+     * @return array ['preview' => $generatedHTML]
+     */
     public function onRefresh()
     {
         $value = post($this->getFieldName());
@@ -100,6 +129,10 @@ class MarkdownEditor extends FormWidgetBase
             ? Markdown::parseSafe($value)
             : Markdown::parse($value);
 
+        if ($this->shouldCleanHtml()) {
+            $previewHtml = Html::clean($previewHtml);
+        }
+
         return [
             'preview' => $previewHtml
         ];
diff --git a/modules/backend/lang/en/lang.php b/modules/backend/lang/en/lang.php
index f4e933c03..1eca8313d 100644
--- a/modules/backend/lang/en/lang.php
+++ b/modules/backend/lang/en/lang.php
@@ -567,6 +567,7 @@ return [
     ],
     'permissions' => [
         'manage_media' => 'Upload and manage media contents - images, videos, sounds, documents',
+        'allow_unsafe_markdown' => 'Use unsafe Markdown (can use HTML & JS)',
     ],
     'mediafinder' => [
         'label' => 'Media Finder',