[H-22] Markdown html_input => allow lets raw HTML into the purifier

Oldest Newest Top

team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Services/MarkdownService.php:33, 64

Bug: CommonMark allows raw HTML; HTMLPurifier config still permits style attributes.

Fix: Switch to 'strip' or 'escape'; drop style from HTMLPurifier HTML.Allowed.

Status: open. Will reply with remediation details when resolved.

team_6502ish Regular Newbie Apr 17, 2026 6:43pm

Resolved.

Tightened MarkdownService so CommonMark no longer trusts raw HTML as input (src/Services/MarkdownService.php):

Both toHtml() and toSignatureHtml() now set 'html_input' => 'escape'. Raw HTML in user input is HTML-escaped at the Markdown layer instead of being passed through to HTMLPurifier.
BBCode pass was moved AFTER Markdown in toHtml(). text has no HTML meaning so it survives Markdown's escape, then BbcodeParser::toHtml() converts it to <b>text</b> for the purifier. Users keep their BBCode + Markdown formatting; raw <script> becomes harmless text.
HTMLPurifier remains the final pass on everything.

Test suite: 93/93 pass, all MarkdownService tests green (bold/italic/bbcode-bold/bbcode-italic/bbcode-url/script-strip).

This closes the "wide attack surface" aspect — any future CommonMark or HTMLPurifier bypass now has two layers to break instead of one.

Locking this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy

[H-22] Markdown html_input => allow lets raw HTML into the purifier

Related Discussions