[k] Improve parsing to filter out non-valid URL/URIs

VERIFIED FIXED in 2.1

Status

support.mozilla.org
Forum
P2
normal
VERIFIED FIXED
8 years ago
8 years ago

People

(Reporter: stephend, Assigned: jsocol)

Tracking

unspecified

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

8 years ago
STR:

1. Load http://support-stage-new.mozilla.com/en-US/forums/test-forum/2?page=7
2. Try to click on the links or mouse-over them (if they're just styled, and aren't linked)

None of the links are valid URI/URLs, to my knowledge; we should do better at parsing/linking them (they're all obviously SQL-injection debris).
(Assignee)

Comment 2

8 years ago
(In reply to comment #1)
> (My personal favorite is
> http://support-stage-new.mozilla.com/en-US/forums/test-forum/2?page=8#post-162),
> where it links http://support-stage-new.mozilla.com/|%5C

Technically, that is a valid URL. All those characters are allowed.

We should check whether Bleach's linkify() or the markup parser is linkifying things like `document.vulnerable`, but they are just links, to nowhere, in particular, so not all that dangerous.
(Assignee)

Comment 3

8 years ago
This was a Bleach.linkify() bug. Added tests and fixed it. Version bump to 0.3.2.

http://github.com/jsocol/bleach/commit/47edcde303

If it doesn't pick up we may have to kick pip to update, but it should be fine.
Assignee: nobody → james
Severity: major → normal
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Priority: -- → P2
Resolution: --- → FIXED
(Reporter)

Comment 4

8 years ago
Verified FIXED; really nice work!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.