From 7ef86f477c07a7df9affb20ab44cb34c1cf5640c Mon Sep 17 00:00:00 2001 From: Pavel Kvach Date: Sun, 3 Mar 2024 01:07:03 +0200 Subject: [PATCH 1/3] isso: html.py: Prevent auto creation of invalid links Fixes https://github.com/posativ/isso/issues/557 --- isso/tests/test_html.py | 2 ++ isso/utils/html.py | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/isso/tests/test_html.py b/isso/tests/test_html.py index 25ce77a9d..86e27315b 100644 --- a/isso/tests/test_html.py +++ b/isso/tests/test_html.py @@ -67,6 +67,8 @@ def test_sanitizer(self): ['Ha', 'Ha']), ('Ha', 'Ha'), + ('ld.so', 'ld.so'), + ('/usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so', '/usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so'), ('

Test

', '

Test

'), ('', 'alert("Onoe")')] diff --git a/isso/utils/html.py b/isso/utils/html.py index 23c4ba6d0..4e0aae963 100644 --- a/isso/utils/html.py +++ b/isso/utils/html.py @@ -27,6 +27,11 @@ def sanitize(self, text): clean_html = bleach.clean(text, tags=self.elements, attributes=self.attributes, strip=True) def set_links(attrs, new=False): + # Linker can misinterpret text as a domain name and create new invalid links. + # To prevent this, we only allow existing links to be modified. + if new: + return None + href_key = (None, u'href') if href_key not in attrs: From afc43808c2e5f589dff82713c69a977e73f4260c Mon Sep 17 00:00:00 2001 From: Pavel Kvach Date: Mon, 11 Mar 2024 01:15:05 +0200 Subject: [PATCH 2/3] CHANGES: Prevent auto creation of invalid links in comments --- CHANGES.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES.rst b/CHANGES.rst index 7edbbd5b7..21d711078 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -22,10 +22,12 @@ Bugfixes & Improvements - Changed website validation to allow domain names containing umlauts (`#951`_, schneidr) - Improve Spanish translation (`#967`_, welpo) - Make language code handling more robust (`#983`_, ix5) +- Prevent auto creation of invalid links in comments (`#995`_, pkvach) .. _#951: https://github.com/posativ/isso/pull/951 .. _#967: https://github.com/posativ/isso/pull/967 .. _#983: https://github.com/posativ/isso/pull/983 +.. _#995: https://github.com/isso-comments/isso/pull/995 0.13.1.dev0 (2023-02-05) ------------------------ From fccd6eb7a5581c3b4b8afc69a9e7ce8c680a21b8 Mon Sep 17 00:00:00 2001 From: Pavel Kvach Date: Mon, 11 Mar 2024 01:38:42 +0200 Subject: [PATCH 3/3] Fix linting issues --- isso/tests/test_html.py | 2 +- isso/utils/html.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/isso/tests/test_html.py b/isso/tests/test_html.py index 86e27315b..5b59b39a2 100644 --- a/isso/tests/test_html.py +++ b/isso/tests/test_html.py @@ -67,7 +67,7 @@ def test_sanitizer(self): ['Ha', 'Ha']), ('Ha', 'Ha'), - ('ld.so', 'ld.so'), + ('ld.so', 'ld.so'), ('/usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so', '/usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so'), ('

Test

', '

Test

'), ('', 'alert("Onoe")')] diff --git a/isso/utils/html.py b/isso/utils/html.py index 4e0aae963..b7b895d20 100644 --- a/isso/utils/html.py +++ b/isso/utils/html.py @@ -27,8 +27,8 @@ def sanitize(self, text): clean_html = bleach.clean(text, tags=self.elements, attributes=self.attributes, strip=True) def set_links(attrs, new=False): - # Linker can misinterpret text as a domain name and create new invalid links. - # To prevent this, we only allow existing links to be modified. + # Linker can misinterpret text as a domain name and create new invalid links. + # To prevent this, we only allow existing links to be modified. if new: return None