Custom Query (2152 matches)
Results (778 - 780 of 2152)
Ticket | Resolution | Summary | Owner | Reporter |
---|---|---|---|---|
#1180 | fixed | Links in markdown can be badly formed | dread | dread |
Description |
User can insert bad anchor tags into the User-About and Package-Notes fields and when you view them (web interface) it causes a 500 error. Need to improve filtering for anchors in markdown. <a href="http://xxxsex.com>nasty/website Also check this related exception: Module ckan.controllers.user:59 in read << c.is_myself = user.name == c.user c.api_key = user.apikey c.about_formatted = self._format_about(user.about) revisions_q = model.Session.query(model.Revision ).filter_by(author=user.name) >> c.about_formatted = self._format_about(user.about) Module ckan.controllers.user:167 in _format_about << def _format_about(self, about): about_formatted = ckan.misc.MarkdownFormat().to_html(about) return genshi.HTML(about_formatted) def _get_form_password(self): >> return genshi.HTML(about_formatted) WebApp Error: <class 'genshi.input.ParseError'>: junk characters in start tag: u'\u201dhttp://www.settingu': line 1, column 3 |
|||
#1181 | fixed | Link spam vulnerability in Notes and User-About fields | dread | dread |
Description |
When viewing a user and a package, the about/notes fields contain Markdown, which may have links. These should have rel="nofollow" to discourage link spam. |
|||
#1183 | fixed | Downloads "Preview" button doesn't preview. | johnglover | nickstenning |
Description |
The "Preview" button is a nice idea, but it doesn't seem to actually "preview" anything if the file MIME type would ordinarily cause the browser to download the file. If so, the browser does indeed just download the file. This is notable in the context of most hosted file services (including Google Storage) which will deliberately serve a MIME type of application/x-some-junk-here in order to force a download. |