Add new backend.allow_unsafe_markdown permission
This commit is contained in:
Luke Towers
parent
655c8011b9
commit
9ecfb4867b
|
|
@ -4,6 +4,7 @@ use App;
|
|||
use Backend;
|
||||
use BackendMenu;
|
||||
use BackendAuth;
|
||||
use Backend\Models\UserRole;
|
||||
use Backend\Classes\WidgetManager;
|
||||
use System\Classes\MailManager;
|
||||
use System\Classes\CombineAssets;
|
||||
|
|
@ -168,7 +169,12 @@ class ServiceProvider extends ModuleServiceProvider
|
|||
'media.manage_media' => [
|
||||
'label' => 'backend::lang.permissions.manage_media',
|
||||
'tab' => 'system::lang.permissions.name',
|
||||
]
|
||||
],
|
||||
'backend.allow_unsafe_markdown' => [
|
||||
'label' => 'backend::lang.permissions.allow_unsafe_markdown',
|
||||
'tab' => 'system::lang.permissions.name',
|
||||
'roles' => UserRole::CODE_DEVELOPER,
|
||||
],
|
||||
]);
|
||||
});
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
<?php namespace Backend\FormWidgets;
|
||||
|
||||
use BackendAuth;
|
||||
use Html;
|
||||
use Markdown;
|
||||
use BackendAuth;
|
||||
use Backend\Classes\FormWidgetBase;
|
||||
|
||||
/**
|
||||
|
|
@ -42,12 +43,12 @@ class MarkdownEditor extends FormWidgetBase
|
|||
//
|
||||
|
||||
/**
|
||||
* @inheritDoc
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
protected $defaultAlias = 'markdown';
|
||||
|
||||
/**
|
||||
* @inheritDoc
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function init()
|
||||
{
|
||||
|
|
@ -60,7 +61,7 @@ class MarkdownEditor extends FormWidgetBase
|
|||
}
|
||||
|
||||
/**
|
||||
* @inheritDoc
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function render()
|
||||
{
|
||||
|
|
@ -84,7 +85,7 @@ class MarkdownEditor extends FormWidgetBase
|
|||
}
|
||||
|
||||
/**
|
||||
* @inheritDoc
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
protected function loadAssets()
|
||||
{
|
||||
|
|
@ -93,6 +94,34 @@ class MarkdownEditor extends FormWidgetBase
|
|||
$this->addJs('/modules/backend/formwidgets/codeeditor/assets/js/build-min.js', 'core');
|
||||
}
|
||||
|
||||
/**
|
||||
* Check to see if the generated HTML should be cleaned to remove any potential XSS
|
||||
*
|
||||
* @return boolean
|
||||
*/
|
||||
protected function shouldCleanHtml()
|
||||
{
|
||||
$user = BackendAuth::getUser();
|
||||
return !$user || !$user->hasAccess('backend.allow_unsafe_markdown');
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
public function getSaveValue($value)
|
||||
{
|
||||
if ($this->shouldCleanHtml()) {
|
||||
$value = Html::clean($value);
|
||||
}
|
||||
|
||||
return $value;
|
||||
}
|
||||
|
||||
/**
|
||||
* AJAX handler to render the markdown as HTML
|
||||
*
|
||||
* @return array ['preview' => $generatedHTML]
|
||||
*/
|
||||
public function onRefresh()
|
||||
{
|
||||
$value = post($this->getFieldName());
|
||||
|
|
@ -100,6 +129,10 @@ class MarkdownEditor extends FormWidgetBase
|
|||
? Markdown::parseSafe($value)
|
||||
: Markdown::parse($value);
|
||||
|
||||
if ($this->shouldCleanHtml()) {
|
||||
$previewHtml = Html::clean($previewHtml);
|
||||
}
|
||||
|
||||
return [
|
||||
'preview' => $previewHtml
|
||||
];
|
||||
|
|
|
|||
|
|
@ -567,6 +567,7 @@ return [
|
|||
],
|
||||
'permissions' => [
|
||||
'manage_media' => 'Upload and manage media contents - images, videos, sounds, documents',
|
||||
'allow_unsafe_markdown' => 'Use unsafe Markdown (can use HTML & JS)',
|
||||
],
|
||||
'mediafinder' => [
|
||||
'label' => 'Media Finder',
|
||||
|
|
|
|||
Loading…
Reference in New Issue