From add8d18c804cd229d7c4e24308449d587219fea5 Mon Sep 17 00:00:00 2001
From: Aidan Woods <aidantwoods@gmail.com>
Date: Mon, 30 Dec 2019 22:31:43 +0000
Subject: [PATCH] Add rawHtml without using it (extensions may opt-in)

---
 Parsedown.php             | 25 ++++++++++++++++++++++---
 test/ParsedownTest.php    | 36 ++++++++++++++++++++++++++++++++++++
 test/SampleExtensions.php | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 97 insertions(+), 3 deletions(-)
 create mode 100644 test/SampleExtensions.php

diff --git a/Parsedown.php b/Parsedown.php
index fab15e9ee..f4249bb6a 100644
--- a/Parsedown.php
+++ b/Parsedown.php
@@ -1489,22 +1489,41 @@ protected function element(array $Element)
             }
         }
 
+        $permitRawHtml = false;
+
         if (isset($Element['text']))
+        {
+            $text = $Element['text'];
+        }
+        // very strongly consider an alternative if you're writing an
+        // extension
+        elseif (isset($Element['rawHtml']))
+        {
+            $text = $Element['rawHtml'];
+            $allowRawHtmlInSafeMode = isset($Element['allowRawHtmlInSafeMode']) && $Element['allowRawHtmlInSafeMode'];
+            $permitRawHtml = !$this->safeMode || $allowRawHtmlInSafeMode;
+        }
+
+        if (isset($text))
         {
             $markup .= '>';
 
-            if (!isset($Element['nonNestables'])) 
+            if (!isset($Element['nonNestables']))
             {
                 $Element['nonNestables'] = array();
             }
 
             if (isset($Element['handler']))
             {
-                $markup .= $this->{$Element['handler']}($Element['text'], $Element['nonNestables']);
+                $markup .= $this->{$Element['handler']}($text, $Element['nonNestables']);
+            }
+            elseif (!$permitRawHtml)
+            {
+                $markup .= self::escape($text, true);
             }
             else
             {
-                $markup .= self::escape($Element['text'], true);
+                $markup .= $text;
             }
 
             $markup .= '</'.$Element['name'].'>';
diff --git a/test/ParsedownTest.php b/test/ParsedownTest.php
index c28cedf67..284f5e91e 100644
--- a/test/ParsedownTest.php
+++ b/test/ParsedownTest.php
@@ -1,5 +1,7 @@
 <?php
 
+require 'SampleExtensions.php';
+
 use PHPUnit\Framework\TestCase;
 
 class ParsedownTest extends TestCase
@@ -55,6 +57,40 @@ function test_($test, $dir)
         $this->assertEquals($expectedMarkup, $actualMarkup);
     }
 
+    function testRawHtml()
+    {
+        $markdown = "```php\nfoobar\n```";
+        $expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
+        $expectedSafeMarkup = '<pre><code class="language-php">&lt;p&gt;foobar&lt;/p&gt;</code></pre>';
+
+        $unsafeExtension = new UnsafeExtension;
+        $actualMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedMarkup, $actualMarkup);
+
+        $unsafeExtension->setSafeMode(true);
+        $actualSafeMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
+    }
+
+    function testTrustDelegatedRawHtml()
+    {
+        $markdown = "```php\nfoobar\n```";
+        $expectedMarkup = '<pre><code class="language-php"><p>foobar</p></code></pre>';
+        $expectedSafeMarkup = $expectedMarkup;
+
+        $unsafeExtension = new TrustDelegatedExtension;
+        $actualMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedMarkup, $actualMarkup);
+
+        $unsafeExtension->setSafeMode(true);
+        $actualSafeMarkup = $unsafeExtension->text($markdown);
+
+        $this->assertEquals($expectedSafeMarkup, $actualSafeMarkup);
+    }
+
     function data()
     {
         $data = array();
diff --git a/test/SampleExtensions.php b/test/SampleExtensions.php
new file mode 100644
index 000000000..1889146b7
--- /dev/null
+++ b/test/SampleExtensions.php
@@ -0,0 +1,39 @@
+<?php
+
+class UnsafeExtension extends Parsedown
+{
+    protected function blockFencedCodeComplete($Block)
+    {
+        $text = $Block['element']['text']['text'];
+        unset($Block['element']['text']['text']);
+
+        // WARNING: There is almost always a better way of doing things!
+        //
+        // This example is one of them, unsafe behaviour is NOT needed here.
+        // Only use this if you trust the input and have no idea what
+        // the output HTML will look like (e.g. using an external parser).
+        $Block['element']['text']['rawHtml'] = "<p>$text</p>";
+
+        return $Block;
+    }
+}
+
+class TrustDelegatedExtension extends Parsedown
+{
+    protected function blockFencedCodeComplete($Block)
+    {
+        $text = $Block['element']['text']['text'];
+        unset($Block['element']['text']['text']);
+
+        // WARNING: There is almost always a better way of doing things!
+        //
+        // This behaviour is NOT needed in the demonstrated case.
+        // Only use this if you are sure that the result being added into
+        // rawHtml is safe.
+        // (e.g. using an external parser with escaping capabilities).
+        $Block['element']['text']['rawHtml'] = "<p>$text</p>";
+        $Block['element']['text']['allowRawHtmlInSafeMode'] = true;
+
+        return $Block;
+    }
+}