Allow anchor links on same page (remove "trusted protocols" filter, rely on... (!162) · Merge requests · Commento / Commento

Souradip Mookerjee requested to merge souramoo/commento:patch-4 into master Jun 18, 2020

Allow anchor links on same page (remove "trusted protocols" filter, rely on bluemonday to filter out XSS).

Fixes #68

Proof of concept go code to play around with:

package main

import (
        "fmt"
        "github.com/microcosm-cc/bluemonday"
        "github.com/russross/blackfriday"
)

func main() {
        var policy *bluemonday.Policy
        var renderer blackfriday.Renderer
        var extensions int

        policy = bluemonday.UGCPolicy()
        policy.RequireParseableURLs(true)
        policy.AllowURLSchemes("mailto", "http", "https")

        extensions = 0
        extensions |= blackfriday.EXTENSION_AUTOLINK
        extensions |= blackfriday.EXTENSION_STRIKETHROUGH

        htmlFlags := 0
        htmlFlags |= blackfriday.HTML_SKIP_HTML
        htmlFlags |= blackfriday.HTML_SKIP_IMAGES
        htmlFlags |= blackfriday.HTML_HREF_TARGET_BLANK

        renderer = blackfriday.HtmlRenderer(htmlFlags, "", "")
        unsafe := blackfriday.Markdown([]byte(`hello world [a](#aaa) [b](https://google.com) [c](/about) [d](messenger://hello) [e](//google.com)`), renderer, extensions)
        fmt.Println(string(unsafe))
        fmt.Println(string(policy.SanitizeBytes(unsafe)))
}

It appears that the #anchor links were being replaced with <tt> because of the SAFELINKS filter.

We can recreate similar behaviour in a better way by relying on a bluemonday policy to deal with the links and their sanity (through requiring URLs to be parsable and only allowing certain schemes) while retaining the ability to link to anchors on the same page.

Allow anchor links on same page (remove "trusted protocols" filter, rely on...

Merge request reports