Merge pull request #520 from Crozzers/fix-issue-517

Allow more relative links in safe mode (issue #517)

CHANGES.md

@@ -2,7 +2,7 @@
 
 ## python-markdown2 2.4.10 (not yet released)
 
-(nothing yet)
+- [pull #520] Allow more relative links in safe mode (issue #517)
 
 
 ## python-markdown2 2.4.9

lib/markdown2.py

@@ -1507,12 +1507,25 @@ def _protect_url(self, url):
         self._escape_table[url] = key
         return key
 
-    # _safe_href is copied from pagedown's Markdown.Sanitizer.js
-    # From: https://github.com/StackExchange/pagedown/blob/master/LICENSE.txt
-    # Original Showdown code copyright (c) 2007 John Fraser
-    # Modifications and bugfixes (c) 2009 Dana Robinson
-    # Modifications and bugfixes (c) 2009-2014 Stack Exchange Inc.
-    _safe_href = re.compile(r'^((https?|ftp):\/\/|\/|\.|#)[-A-Za-z0-9+&@#\/%?=~_|!:,.;\(\)*[\]$]*$', re.I)
+    _safe_protocols = r'(?:https?|ftp):\/\/|(?:mailto|tel):'
+
+    @property
+    def _safe_href(self):
+        '''
+        _safe_href is adapted from pagedown's Markdown.Sanitizer.js
+        From: https://github.com/StackExchange/pagedown/blob/master/LICENSE.txt
+        Original Showdown code copyright (c) 2007 John Fraser
+        Modifications and bugfixes (c) 2009 Dana Robinson
+        Modifications and bugfixes (c) 2009-2014 Stack Exchange Inc.
+        '''
+        safe = r'-\w'
+        # omitted ['"<>] for XSS reasons
+        less_safe = r'#/\.!#$%&\(\)\+,/:;=\?@\[\]^`\{\}\|~'
+        # dot seperated hostname, optional port number, not followed by protocol seperator
+        domain = r'(?:[%s]+(?:\.[%s]+)*)(?:(?<!tel):\d+/?)?(?![^:/]*:/*)' % (safe, safe)
+        fragment = r'[%s]*' % (safe + less_safe)
+
+        return re.compile(r'^(?:(%s)?(%s)(%s)|(#|\.{,2}/)(%s))$' % (self._safe_protocols, domain, fragment, fragment), re.I)
 
     def _do_links(self, text):
         """Turn Markdown link shortcuts into XHTML <a> and <img> tags.

test/tm-cases/link_safe_urls.html

@@ -1,11 +1,47 @@
+<h1>Normal links</h1>
+
 <p><a href="https://www.example.com">Safe link 1</a></p>
 
 <p><a href="http://www.example.com">Safe link 2</a></p>
 
 <p><a href="ftp://www.example.com">Safe link 3</a></p>
 
-<p><a href="#anchor">Safe link 4</a></p>
+<p><a href="mailto:emailaddress@server.com">Safe link 4</a></p>
+
+<p><a href="tel:0123456789">Safe link 5</a></p>
+
+<p><a href="#anchor">Safe link 6</a></p>
+
+<h1>Bad protocols</h1>
 
 <p><a href="#">Unsafe link 1</a></p>
 
 <p><a href="#">Unsafe link 2</a></p>
+
+<h1>Relative links</h1>
+
+<p><a href="example">Safe link 1</a></p>
+
+<p><a href="./example">Safe link 2</a></p>
+
+<p><a href="../../example">Safe link 3</a></p>
+
+<p><a href="/example">Safe link 4</a></p>
+
+<p><a href="#">Unsafe link 1</a></p>
+
+<h1>Edge cases</h1>
+
+<p><a href="www.example.com/abc:def">Safe link 1</a></p>
+
+<p><a href="www.example.com/abc:/def">Safe link 2</a></p>
+
+<p><a href="https://www.example.com:4200">Safe link 3</a></p>
+
+<p><a href="https://www.example.com:4200/abcdef">Safe link 4</a></p>
+
+<p><a href="#">Unsafe link 1</a></p>
+
+<p><a href="#">Unsafe link 2</a></p>
+
+<p><a href="#">Unsafe link 3</a></p>

test/tm-cases/link_safe_urls.text

@@ -1,11 +1,47 @@
+# Normal links
+
 [Safe link 1](https://www.example.com)
 
 [Safe link 2](http://www.example.com)
 
 [Safe link 3](ftp://www.example.com)
 
-[Safe link 4](#anchor)
+[Safe link 4](mailto:emailaddress@server.com)
+
+[Safe link 5](tel:0123456789)
+
+[Safe link 6](#anchor)
+
+# Bad protocols
 
 [Unsafe link 1](unknown://www.example.com)
 
-[Unsafe link 2](example)
+[Unsafe link 2](mailfrom:www.example.com)
+
+# Relative links
+
+[Safe link 1](example)
+
+[Safe link 2](./example)
+
+[Safe link 3](../../example)
+
+[Safe link 4](/example)
+
+[Unsafe link 1](.../www.example.com)
+
+# Edge cases
+
+[Safe link 1](www.example.com/abc:def)
+
+[Safe link 2](www.example.com/abc:/def)
+
+[Safe link 3](https://www.example.com:4200)
+
+[Safe link 4](https://www.example.com:4200/abcdef)
+
+[Unsafe link 1](unknown://www.example.com://abc)
+
+[Unsafe link 2](C:/Windows/System32)
+
+[Unsafe link 3](C:\Windows\System32)