STR: 1. Load http://support-stage-new.mozilla.com/en-US/forums/test-forum/2?page=7 2. Try to click on the links or mouse-over them (if they're just styled, and aren't linked) None of the links are valid URI/URLs, to my knowledge; we should do better at parsing/linking them (they're all obviously SQL-injection debris).
(My personal favorite is http://support-stage-new.mozilla.com/en-US/forums/test-forum/2?page=8#post-162), where it links http://support-stage-new.mozilla.com/|%5C
(In reply to comment #1) > (My personal favorite is > http://support-stage-new.mozilla.com/en-US/forums/test-forum/2?page=8#post-162), > where it links http://support-stage-new.mozilla.com/|%5C Technically, that is a valid URL. All those characters are allowed. We should check whether Bleach's linkify() or the markup parser is linkifying things like `document.vulnerable`, but they are just links, to nowhere, in particular, so not all that dangerous.
This was a Bleach.linkify() bug. Added tests and fixed it. Version bump to 0.3.2. http://github.com/jsocol/bleach/commit/47edcde303 If it doesn't pick up we may have to kick pip to update, but it should be fine.
Assignee: nobody → james
Severity: major → normal
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Priority: -- → P2
Resolution: --- → FIXED
Verified FIXED; really nice work!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.