Ticket #1180 (closed defect: fixed)
Links in markdown can be badly formed
| Reported by: | dread | Owned by: | dread |
|---|---|---|---|
| Priority: | critical | Milestone: | ckan-v1.5-sprint-3 |
| Component: | ckan | Keywords: | |
| Cc: | Repository: | ckan | |
| Theme: | none |
Description (last modified by dread) (diff)
User can insert bad anchor tags into the User-About and Package-Notes fields and when you view them (web interface) it causes a 500 error.
Need to improve filtering for anchors in markdown.
<a href="http://xxxsex.com>nasty/website
Also check this related exception:
Module ckan.controllers.user:59 in read
<< c.is_myself = user.name == c.user
c.api_key = user.apikey
c.about_formatted = self._format_about(user.about)
revisions_q = model.Session.query(model.Revision
).filter_by(author=user.name)
>> c.about_formatted = self._format_about(user.about)
Module ckan.controllers.user:167 in _format_about
<< def _format_about(self, about):
about_formatted = ckan.misc.MarkdownFormat().to_html(about)
return genshi.HTML(about_formatted)
def _get_form_password(self):
>> return genshi.HTML(about_formatted)
WebApp Error: <class 'genshi.input.ParseError'>: junk characters in start tag: u'\u201dhttp://www.settingu': line 1, column 3
Change History
comment:2 Changed 3 years ago by dread
- Status changed from new to closed
- Resolution set to fixed
- Description modified (diff)
- Summary changed from User 'about' field put in HTML unsafely to Links in markdown can be badly formed
Both issues solved using a whitelist on anchor tags.
Second issue was a link with unicode expression of the quote. e.g. <a href=\u201dsomelink\u201d>somelink</a>
Note: See
TracTickets for help on using
tickets.
