id	summary	reporter	owner	description	type	status	priority	milestone	component	resolution	keywords	cc	repo	theme
1180	User 'about' field put in HTML unsafely	dread	dread	"User can insert bad things into their About field and when you view the user (web interface) then it causes a 500 error - something is not right here. Need to filter to just safe markdown, as we do for the package notes field.
{{{
<a href=""http://xxxsex.com>nasty/website
}}}
Also check this related exception:
{{{
Module ckan.controllers.user:59 in read
<<          c.is_myself = user.name == c.user
               c.api_key = user.apikey
               c.about_formatted = self._format_about(user.about)
               revisions_q = model.Session.query(model.Revision
                       ).filter_by(author=user.name)
>>  c.about_formatted = self._format_about(user.about)
Module ckan.controllers.user:167 in _format_about
<<      def _format_about(self, about):
               about_formatted = ckan.misc.MarkdownFormat().to_html(about)
               return genshi.HTML(about_formatted) 
       
           def _get_form_password(self):
>>  return genshi.HTML(about_formatted)
WebApp Error: <class 'genshi.input.ParseError'>: junk characters in start tag: u'\u201dhttp://www.settingu': line 1, column 3
}}}"	defect	new	critical	ckan-v1.5-sprint-3	ckan				ckan	none