Fix a problem in z_html:escape_link where some data was not escaped. (#…

…82)

* Fix a problem in z_html:escape_link where some data was not escaped.

* Do not run dialyzer as test

* Suppress dialyzer warnings

.github/workflows/hex-publish.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Publish to Hex.pm
         uses: erlangpack/github-action@v3

.github/workflows/test.yml

@@ -18,14 +18,14 @@ jobs:
 
     strategy:
       matrix:
-        otp_version: [23,24,25]
+        otp_version: [24,25,26]
         os: [ubuntu-latest]
 
     container:
       image: erlang:${{ matrix.otp_version }}
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Compile
         run: make
       - name: Test

GNUmakefile

@@ -31,7 +31,7 @@ shell: $(REBAR) compile
 	$(REBAR) $(REBAR_OPTS) shell
 
 dialyzer: $(REBAR)
-	$(REBAR) as test dialyzer
+	$(REBAR) dialyzer
 
 xref: $(REBAR)
 	$(REBAR) as test xref

rebar.lock

@@ -3,17 +3,17 @@
  {<<"qdate_localtime">>,{pkg,<<"qdate_localtime">>,<<"1.2.0">>},0},
  {<<"ssl_verify_fun">>,{pkg,<<"ssl_verify_fun">>,<<"1.1.6">>},1},
  {<<"tls_certificate_check">>,
-  {pkg,<<"tls_certificate_check">>,<<"1.16.0">>},
+  {pkg,<<"tls_certificate_check">>,<<"1.18.1">>},
   0}]}.
 [
 {pkg_hash,[
  {<<"cowlib">>, <<"0B9FF9C346629256C42EBE1EEB769A83C6CB771A6EE5960BD110AB0B9B872063">>},
  {<<"qdate_localtime">>, <<"644ADE4C7F7EAC765E2048DFA714D78EA86BAF5255FE46279B2EAC5729760A07">>},
  {<<"ssl_verify_fun">>, <<"CF344F5692C82D2CD7554F5EC8FD961548D4FD09E7D22F5B62482E5AEAEBD4B0">>},
- {<<"tls_certificate_check">>, <<"45B05E3B993DBACE2E4EBCCB666EADBD038F1DA8F4DB9691F4F34A274DFB0BD7">>}]},
+ {<<"tls_certificate_check">>, <<"54033CCBA6D5C7DC249C9D88243CCF9BAC2285784B9B7E258404B4B5AFF3DF10">>}]},
 {pkg_hash_ext,[
  {<<"cowlib">>, <<"2B3E9DA0B21C4565751A6D4901C20D1B4CC25CBB7FD50D91D2AB6DD287BC86A9">>},
  {<<"qdate_localtime">>, <<"98A538A5B6046B8652DFC5630B030D0414A1B31D0130C81FA6B88B5C1E625109">>},
  {<<"ssl_verify_fun">>, <<"BDB0D2471F453C88FF3908E7686F86F9BE327D065CC1EC16FA4540197EA04680">>},
- {<<"tls_certificate_check">>, <<"3DC0508C749619B8D6A5E21ACA4D719C184F065541795B0556398C8E574A3064">>}]}
+ {<<"tls_certificate_check">>, <<"078DE55B522D0550FE8112C01D33B380CFA55E8EC662DDA300457CC67895A9B6">>}]}
 ].

src/z_convert.erl

@@ -1,11 +1,12 @@
 %% @author Rusty Klophaus
-%% @copyright Copyright (c) 2008-2009 Rusty Klophaus, Copyright (c) 2009-2021 Marc Worrell
-%%
+%% @copyright Copyright (c) 2008-2009 Rusty Klophaus, Copyright (c) 2009-2023 Marc Worrell
 %% @doc Conversion functions for all kinds of data types. Changes to
 %% Rusty's version: added date conversion, undefined handling and more
 %% to_bool cases.
+%% @end
 
-%% Copyright 2009-2021 Marc Worrell
+%% Copyright 2008-2009 Rusty Klophaus
+%% Copyright 2009-2023 Marc Worrell
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@@ -113,9 +114,13 @@ to_binary({trans, []}) ->
     <<>>.
 
 %% Specific Zotonic callback, please keep here.
-to_binary({trans, _} = Tr, Context) -> to_binary(z_trans:lookup_fallback(Tr, Context));
+to_binary({trans, _} = Tr, Context) -> to_binary(trans_lookup_fallback(Tr, Context));
 to_binary(A, _Context) -> to_binary(A).
 
+% Add nowarn because the z_trans module is optional (and from Zotonic core)
+-dialyzer({[ nowarn_function ], trans_lookup_fallback/2}).
+trans_lookup_fallback(Tr, Context) ->
+    z_trans:lookup_fallback(Tr, Context).
 
 %% @doc Convert (almost) any value to an integer.
 -spec to_integer(term()) -> integer() | undefined.

src/z_dateformat.erl

@@ -56,7 +56,7 @@
 -type datetime() :: calendar:datetime()
                   | {date(), calendar:time()}.
 
--export_type([datetime/0]).
+-export_type([datetime/0, date/0, tz/0]).
 
 %
 % Format the current date/time

src/z_html.erl

@@ -513,30 +513,35 @@ escape_link(Text) when is_binary(Text) ->
     of
         {match, Matches} ->
             Matches1 = [ hd(M) || M <- Matches ],
-            Linked = make_links1(lists:reverse(Matches1), Text),
+            Parts = split_in_links(lists:reverse(Matches1), Text, []),
+            Linked = lists:map(fun make_link/1, Parts),
             nl2br(iolist_to_binary(Linked));
         nomatch ->
             nl2br(escape(Text))
     end;
 escape_link(Text) ->
     escape_link(iolist_to_binary(Text)).
 
-make_links1([], Text) ->
-    Text;
-make_links1([{Offset, Len}|Matches], Text) ->
-    <<Before:Offset/binary, Link:Len/binary, Rest/binary>> = Text,
+make_link(B) when is_binary(B) ->
+    escape(B);
+make_link({link, Link}) ->
     NoScript = noscript(Link, true),
     LinkText = escape(NoScript),
     LinkUrl = escape(ensure_protocol(NoScript)),
-    Anchor = <<
+    <<
         "<a href=\"",
         LinkUrl/binary,
         "\" rel=\"noopener nofollow noreferrer\">",
         LinkText/binary,
         "</a>"
-        >>,
-    Text1 = <<Before/binary, Anchor/binary, Rest/binary>>,
-    make_links1(Matches, Text1).
+    >>.
+
+split_in_links([], Text, Acc) ->
+    [ Text | Acc ];
+split_in_links([ {Offset, Len}|Matches ], Text, Acc) ->
+    <<Before:Offset/binary, Link:Len/binary, Rest/binary>> = Text,
+    Acc1 = [ {link, Link}, Rest | Acc ],
+    split_in_links(Matches, Before, Acc1).
 
 ensure_protocol(<<>>) -> <<>>;
 ensure_protocol(<<"#", _/binary>> = Link) -> Link;

src/z_url_metadata.erl

@@ -517,7 +517,8 @@ img_blocklist() -> [
     <<"/1x1/">>
     ].
 
-
+% Add nowarn because the iconv module is optional.
+-dialyzer({[ nowarn_function ], maybe_convert_utf8/4}).
 maybe_convert_utf8(true, IsHtml, Charset, Html) ->
     CS1 = z_convert:to_list(
                 z_string:to_lower(

src/zotonic_stdlib.app.src

@@ -2,7 +2,11 @@
     {description, "Zotonic standard library"},
     {vsn, "git"},
     {registered, []},
-    {applications, [kernel, stdlib, tls_certificate_check]},
+    {applications, [
+        kernel, stdlib, inets,
+        tls_certificate_check,
+        cowlib, qdate_localtime
+    ]},
     {env, []},
     {modules, []},
     {exclude_files, [

test/z_html_test.erl

@@ -15,6 +15,12 @@ escape_link_test() ->
         = z_html:escape_link(z_html:unescape(<<"http://example.com/a&nbsp;">>)),
     <<"foo <a href=\"https://www.example.com/~user/home_foo;c?a=123&amp;b=c#abc\" rel=\"noopener nofollow noreferrer\">www.example.com/~user/home_foo;c?a=123&amp;b=c#abc</a> bar"/utf8>> 
         = z_html:escape_link(<<"foo www.example.com/~user/home_foo;c?a=123&b=c#abc bar">>),
+    <<"foo &lt;&gt;&amp;&quot;&#39; bar"/utf8>>
+        = z_html:escape_link(<<"foo <>&\"' bar">>),
+    <<"foo &lt;&gt;&amp;&quot;&#39; bar"/utf8>>
+        = z_html:escape_link("foo <>&\"' bar"),
+    <<"foo <a href=\"https://www.example.com\" rel=\"noopener nofollow noreferrer\">www.example.com</a> &lt;&gt;&amp;&quot;&#39; bar"/utf8>>
+        = z_html:escape_link("foo www.example.com <>&\"' bar"),
     ok.
 
 escape_props_test() ->