My url is like page.php?path=content/x/y/z/aaa.md. Is the following php code XSS-secure?
include "Parsedown.php";
function path_purifier($path) {
if(substr($path, 0, 8) !== "content/")
return null;
if (strpos($path,'..') !== false)
return null;
return "./" . $path;
}
$parsedown = new Parsedown();
$path = $_GET['path'];
$path = path_purifier($path);
echo $parsedown->text(file_get_contents($path));
Thanks for your attention
Yes, looks secure enough, but still not perfect. You also need to call is_file() and ensure it returns true, before you call file_get_contents(). Also to make it even safer you can implement a CSRF protection on top of it.
Also, keep in mind, that some hosting providers don't allow relative paths. So if a path like '/content/x/y/file.md' might work on you local machine, keep in mind that on some hosters it will not. So you'd better always use absolute paths like __DIR__ . '/content/x/y/file.md'