From 6ae19a6e16ef3ba730692bc899851342c858bb94 Mon Sep 17 00:00:00 2001
From: Luke Towers <github@luketowers.ca>
Date: Mon, 25 May 2020 18:05:13 -0600
Subject: [PATCH] Implement support for backend.allow_unsafe_markdown and
 improve support for Swoole

---
 formwidgets/BlogMarkdown.php | 34 +++++++++++++++++++++++++++-------
 models/Post.php              |  6 ++++++
 2 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/formwidgets/BlogMarkdown.php b/formwidgets/BlogMarkdown.php
index 9907c0df..caff7189 100644
--- a/formwidgets/BlogMarkdown.php
+++ b/formwidgets/BlogMarkdown.php
@@ -20,6 +20,9 @@
  */
 class BlogMarkdown extends MarkdownEditor
 {
+    /**
+     * {@inheritDoc}
+     */
     public function init()
     {
         $this->viewPath = base_path().'/modules/backend/formwidgets/markdowneditor/partials';
@@ -29,12 +32,28 @@ public function init()
         parent::init();
     }
 
+    /**
+     * {@inheritDoc}
+     */
     protected function loadAssets()
     {
         $this->assetPath = '/modules/backend/formwidgets/markdowneditor/assets';
         parent::loadAssets();
     }
 
+    /**
+     * Disable HTML cleaning on the widget level since the PostModel will handle it
+     *
+     * @return boolean
+     */
+    protected function shouldCleanHtml()
+    {
+        return false;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
     public function onRefresh()
     {
         $content = post($this->formField->getName());
@@ -46,6 +65,11 @@ public function onRefresh()
         ];
     }
 
+    /**
+     * Handle images being uploaded to the blog post
+     *
+     * @return void
+     */
     protected function checkUploadPostback()
     {
         if (!post('X_BLOG_IMAGE_UPLOAD')) {
@@ -90,11 +114,9 @@ protected function checkUploadPostback()
             ];
 
             $response = Response::make()->setContent($result);
-            $response->send();
+            $this->controller->setResponse($response);
 
-            die();
-        }
-        catch (Exception $ex) {
+        } catch (Exception $ex) {
             $message = $uploadedFileName
                 ? Lang::get('cms::lang.asset.error_uploading_file', ['name' => $uploadedFileName, 'error' => $ex->getMessage()])
                 : $ex->getMessage();
@@ -105,9 +127,7 @@ protected function checkUploadPostback()
             ];
 
             $response = Response::make()->setContent($result);
-            $response->send();
-
-            die();
+            $this->controller->setResponse($response);
         }
     }
 }
diff --git a/models/Post.php b/models/Post.php
index ba701e21..aa5ab8b4 100644
--- a/models/Post.php
+++ b/models/Post.php
@@ -189,6 +189,12 @@ public static function formatHtml($input, $preview = false)
     {
         $result = Markdown::parse(trim($input));
 
+        // Check to see if the HTML should be cleaned from potential XSS
+        $user = BackendAuth::getUser();
+        if (!$user || !$user->hasAccess('backend.allow_unsafe_markdown')) {
+            $result = Html::clean($result);
+        }
+
         if ($preview) {
             $result = str_replace('<pre>', '<pre class="prettyprint">', $result);
         }