http://localhost/ticket/1180 <p> User can insert bad things into their About field and when you view the user (web interface) then it causes a 500 error - something is not right here. Need to filter to just safe markdown, as we do for the package notes field. </p> <pre class="wiki">&lt;a href="http://xxxsex.com&gt;nasty/website </pre> en-us http://assets.okfn.org/p/ckan/img/ckan_logo_shortname.png http://localhost/ticket/1180 Trac 0.12.3 dread Tue, 07 Jun 2011 19:31:07 GMT http://localhost/ticket/1180#comment:1 http://localhost/ticket/1180#comment:1 <ul> <li><strong>description</strong> modified (<a href="/ticket/1180?action=diff&amp;version=1">diff</a>) </li> </ul> Ticket dread Wed, 08 Jun 2011 14:43:43 GMT http://localhost/ticket/1180#comment:2 http://localhost/ticket/1180#comment:2 <ul> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> <li><strong>description</strong> modified (<a href="/ticket/1180?action=diff&amp;version=2">diff</a>) </li> <li><strong>summary</strong> changed from <em>User 'about' field put in HTML unsafely</em> to <em>Links in markdown can be badly formed</em> </li> </ul> <p> Both issues solved using a whitelist on anchor tags. </p> <p> Second issue was a link with unicode expression of the quote. e.g. &lt;a href=\u201dsomelink\u201d&gt;somelink&lt;/a&gt; </p> Ticket