whitelist regex for good attribute (no

no chars that could form a delimiter allowed
erusev · May 2, 2017 · 4bae1c9 · 4bae1c9
1 parent aee3963
commit 4bae1c9
Showing 1 changed file with 5 additions and 12 deletions.
diff --git a/Parsedown.php b/Parsedown.php
@@ -1505,7 +1505,7 @@ function parse($text)
 
     protected function sanitiseElement(array $Element)
     {
-        static $badAttributeChars = "\"'= \t\n\r\0\x0B";
+        static $goodAttribute = '/^[a-zA-Z0-9][a-zA-Z0-9-_]*+$/';
         static $safeUrlNameToAtt  = array(
             'a'   => 'href',
             'img' => 'src',
@@ -1520,24 +1520,17 @@ protected function sanitiseElement(array $Element)
         {
             foreach ($Element['attributes'] as $att => $val)
             {
-                # clear out nulls
-                if ($val === null)
+                # filter out badly parsed attribute
+                if ( ! preg_match($goodAttribute, $att))
                 {
                     unset($Element['attributes'][$att]);
                 }
-                # filter out badly parsed attribute
-                elseif (strpbrk($att, $badAttributeChars) !== false)
+                # dump onevent attribute
+                elseif (preg_match('/^on/i', $att))
                 {
                     unset($Element['attributes'][$att]);
                 }
             }
-
-            $onEventAttributeKeys = preg_grep('/^on/i', array_keys($Element['attributes']));
-
-            foreach ($onEventAttributeKeys as $att)
-            {
-                unset($Element['attributes'][$att]);
-            }
         }
 
         return $Element;