CKAN: Ticket #1180: Links in markdown can be badly formed http://localhost/ticket/1180 <p> User can insert bad anchor tags into the User-About and Package-Notes fields and when you view them (web interface) it causes a 500 error. </p> <p> Need to improve filtering for anchors in markdown. </p> <pre class="wiki">&lt;a href="http://xxxsex.com&gt;nasty/website </pre><p> Also check this related exception: </p> <pre class="wiki">Module ckan.controllers.user:59 in read &lt;&lt; c.is_myself = user.name == c.user c.api_key = user.apikey c.about_formatted = self._format_about(user.about) revisions_q = model.Session.query(model.Revision ).filter_by(author=user.name) &gt;&gt; c.about_formatted = self._format_about(user.about) Module ckan.controllers.user:167 in _format_about &lt;&lt; def _format_about(self, about): about_formatted = ckan.misc.MarkdownFormat().to_html(about) return genshi.HTML(about_formatted) def _get_form_password(self): &gt;&gt; return genshi.HTML(about_formatted) WebApp Error: &lt;class 'genshi.input.ParseError'&gt;: junk characters in start tag: u'\u201dhttp://www.settingu': line 1, column 3 </pre> en-us CKAN http://assets.okfn.org/p/ckan/img/ckan_logo_shortname.png http://localhost/ticket/1180 Trac 0.12.3 dread Tue, 07 Jun 2011 19:31:07 GMT description changed http://localhost/ticket/1180#comment:1 http://localhost/ticket/1180#comment:1 <ul> <li><strong>description</strong> modified (<a href="/ticket/1180?action=diff&amp;version=1">diff</a>) </li> </ul> Ticket dread Wed, 08 Jun 2011 14:43:43 GMT status, description, summary changed; resolution set http://localhost/ticket/1180#comment:2 http://localhost/ticket/1180#comment:2 <ul> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> <li><strong>description</strong> modified (<a href="/ticket/1180?action=diff&amp;version=2">diff</a>) </li> <li><strong>summary</strong> changed from <em>User 'about' field put in HTML unsafely</em> to <em>Links in markdown can be badly formed</em> </li> </ul> <p> Both issues solved using a whitelist on anchor tags. </p> <p> Second issue was a link with unicode expression of the quote. e.g. &lt;a href=\u201dsomelink\u201d&gt;somelink&lt;/a&gt; </p> Ticket