isso: html.py: Prevent auto creation of invalid links

Fixes #557
isso-comments · Mar 2, 2024 · 7ef86f4 · 7ef86f4
1 parent 9755fe6
commit 7ef86f4
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/isso/tests/test_html.py b/isso/tests/test_html.py
@@ -67,6 +67,8 @@ def test_sanitizer(self):
              ['<a href="http://example.org/" rel="nofollow noopener">Ha</a>',
               '<a rel="nofollow noopener" href="http://example.org/">Ha</a>']),
             ('<a href="sms:+1234567890">Ha</a>', '<a>Ha</a>'),
+            ('ld.so', 'ld.so'),            
+            ('/usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so', '/usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so'),
             ('<p style="visibility: hidden;">Test</p>', '<p>Test</p>'),
             ('<script>alert("Onoe")</script>', 'alert("Onoe")')]
 

diff --git a/isso/utils/html.py b/isso/utils/html.py
@@ -27,6 +27,11 @@ def sanitize(self, text):
         clean_html = bleach.clean(text, tags=self.elements, attributes=self.attributes, strip=True)
 
         def set_links(attrs, new=False):
+            # Linker can misinterpret text as a domain name and create new invalid links. 
+            # To prevent this, we only allow existing links to be modified. 
+            if new:
+                return None
+
             href_key = (None, u'href')
 
             if href_key not in attrs: