Ticket #1180 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

Links in markdown can be badly formed

Reported by: dread Owned by: dread
Priority: critical Milestone: ckan-v1.5-sprint-3
Component: ckan Keywords:
Cc: Repository: ckan
Theme: none

Description (last modified by dread) (diff)

User can insert bad anchor tags into the User-About and Package-Notes fields and when you view them (web interface) it causes a 500 error.

Need to improve filtering for anchors in markdown.

<a href="http://xxxsex.com>nasty/website

Also check this related exception:

Module ckan.controllers.user:59 in read
<<          c.is_myself = user.name == c.user
               c.api_key = user.apikey
               c.about_formatted = self._format_about(user.about)
               revisions_q = model.Session.query(model.Revision
                       ).filter_by(author=user.name)
>>  c.about_formatted = self._format_about(user.about)
Module ckan.controllers.user:167 in _format_about
<<      def _format_about(self, about):
               about_formatted = ckan.misc.MarkdownFormat().to_html(about)
               return genshi.HTML(about_formatted) 
       
           def _get_form_password(self):
>>  return genshi.HTML(about_formatted)
WebApp Error: <class 'genshi.input.ParseError'>: junk characters in start tag: u'\u201dhttp://www.settingu': line 1, column 3

Change History

comment:1 Changed 3 years ago by dread

  • Description modified (diff)

comment:2 Changed 3 years ago by dread

  • Status changed from new to closed
  • Resolution set to fixed
  • Description modified (diff)
  • Summary changed from User 'about' field put in HTML unsafely to Links in markdown can be badly formed

Both issues solved using a whitelist on anchor tags.

Second issue was a link with unicode expression of the quote. e.g. <a href=\u201dsomelink\u201d>somelink</a>

Note: See TracTickets for help on using tickets.