Randomizes temporary reference token name.

Closes issue #115
textile · Oct 24, 2013 · 4b0c406 · 4b0c406 · gocom · Oct 24, 2013
1 parent 6fa02a0
commit 4b0c406
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 5 deletions.
diff --git a/src/Netcarver/Textile/Parser.php b/src/Netcarver/Textile/Parser.php
@@ -765,6 +765,14 @@ class Parser
 
     protected $tag_index = 1;
 
+    /**
+     * Span reference token prefix.
+     *
+     * @var string
+     */
+
+    protected $spanReferenceTokenPrefix;
+
     /**
      * Constructor.
      *
@@ -1036,6 +1044,14 @@ public function textileRestricted($text, $lite = true, $noimage = true, $rel = '
 
     protected function textileCommon($text, $lite)
     {
+        while (1) {
+            $this->spanReferenceTokenPrefix = 'textile' . uniqid(rand());
+
+            if (strpos($text, $this->spanReferenceTokenPrefix) === false) {
+                break;
+            }
+        }
+
         if ($lite) {
             $this->blocktag_whitelist = array('bq', 'p');
             $text = $this->blocks($text."\n\n");
@@ -2129,17 +2145,17 @@ protected function storeTags($opentag, $closetag = '')
         $key = str_pad((string) $key, 10, '0', STR_PAD_LEFT).'z'; // $key must be of fixed length to allow proper matching in retrieveTags
         $this->tagCache[$key] = array('open' => $opentag, 'close' => $closetag);
         $tags = array(
-            'open'  => "textileopentag{$key} ",
-            'close' => " textileclosetag{$key}",
+            'open'  => "{$this->spanReferenceTokenPrefix}opentag{$key} ",
+            'close' => " {$this->spanReferenceTokenPrefix}closetag{$key}",
         );
         return $tags;
     }
 
 
     protected function retrieveTags($text)
     {
-        $text = preg_replace_callback('/textileopentag([\d]{10}z) /', array(&$this, 'fRetrieveOpenTags'), $text);
-        $text = preg_replace_callback('/ textileclosetag([\d]{10}z)/', array(&$this, 'fRetrieveCloseTags'), $text);
+        $text = preg_replace_callback('/'.$this->spanReferenceTokenPrefix.'opentag([\d]{10}z) /', array(&$this, 'fRetrieveOpenTags'), $text);
+        $text = preg_replace_callback('/ '.$this->spanReferenceTokenPrefix.'closetag([\d]{10}z)/', array(&$this, 'fRetrieveCloseTags'), $text);
         return $text;
     }
 

diff --git a/test/basic.yaml b/test/basic.yaml
@@ -3151,4 +3151,10 @@ Restricted mode security filtering mode with default options :
 
     <p>&#8220;javascript link&#8221;:javacript:window.alert()</p>
 
-    <p>notextile. &lt;iframe src=&#8220;xss/attempt&#8221;&gt;&lt;/iframe&gt;&lt;&amp;#123&gt;&lt;script&gt;window.alert(&#8216;success&#8217;)&lt;/script&gt;</p>
+    <p>notextile. &lt;iframe src=&#8220;xss/attempt&#8221;&gt;&lt;/iframe&gt;&lt;&amp;#123&gt;&lt;script&gt;window.alert(&#8216;success&#8217;)&lt;/script&gt;</p>
+
+Token references :
+  input : |
+    Hello textileopentag0000000001z World!
+  expect : |
+    <p>Hello textileopentag0000000001z World!</p>