Allow anchor links on same page (remove "trusted protocols" filter, rely on...
Allow anchor links on same page (remove "trusted protocols" filter, rely on bluemonday to filter out XSS).
Fixes #68
Proof of concept go code to play around with:
package main
import (
"fmt"
"github.com/microcosm-cc/bluemonday"
"github.com/russross/blackfriday"
)
func main() {
var policy *bluemonday.Policy
var renderer blackfriday.Renderer
var extensions int
policy = bluemonday.UGCPolicy()
policy.RequireParseableURLs(true)
policy.AllowURLSchemes("mailto", "http", "https")
extensions = 0
extensions |= blackfriday.EXTENSION_AUTOLINK
extensions |= blackfriday.EXTENSION_STRIKETHROUGH
htmlFlags := 0
htmlFlags |= blackfriday.HTML_SKIP_HTML
htmlFlags |= blackfriday.HTML_SKIP_IMAGES
htmlFlags |= blackfriday.HTML_HREF_TARGET_BLANK
renderer = blackfriday.HtmlRenderer(htmlFlags, "", "")
unsafe := blackfriday.Markdown([]byte(`hello world [a](#aaa) [b](https://google.com) [c](/about) [d](messenger://hello) [e](//google.com)`), renderer, extensions)
fmt.Println(string(unsafe))
fmt.Println(string(policy.SanitizeBytes(unsafe)))
}
It appears that the #anchor links were being replaced with <tt>
because of the SAFELINKS filter.
We can recreate similar behaviour in a better way by relying on a bluemonday policy to deal with the links and their sanity (through requiring URLs to be parsable and only allowing certain schemes) while retaining the ability to link to anchors on the same page.