Merge pull request #513 from Crozzers/fix-rel-links-in-safe-mode

Fix relative links not working in safe mode (issue #254)

CHANGES.md

@@ -9,6 +9,7 @@
 - [pull #509] Fix HTML elements not unhashing correctly (issue 508)
 - [pull #511] Remove deprecated `imp` module (issue #510)
 - [pull #512] Allow link patterns to be passed via extras dict
+- [pull #513] Fix relative links not working in safe mode (issue #254)
 
 
 ## python-markdown2 2.4.8

lib/markdown2.py

@@ -1483,7 +1483,13 @@ def _protect_url(self, url):
         self._escape_table[url] = key
         return key
 
-    _safe_protocols = re.compile(r'(https?|ftp):', re.I)
+    # _safe_href is copied from pagedown's Markdown.Sanitizer.js
+    # From: https://github.com/StackExchange/pagedown/blob/master/LICENSE.txt
+    # Original Showdown code copyright (c) 2007 John Fraser
+    # Modifications and bugfixes (c) 2009 Dana Robinson
+    # Modifications and bugfixes (c) 2009-2014 Stack Exchange Inc.
+    _safe_href = re.compile(r'^((https?|ftp):\/\/|\/|\.|#)[-A-Za-z0-9+&@#\/%?=~_|!:,.;\(\)*[\]$]*$', re.I)
+
     def _do_links(self, text):
         """Turn Markdown link shortcuts into XHTML <a> and <img> tags.
 
@@ -1601,7 +1607,7 @@ def _do_links(self, text):
                         anchor_allowed_pos = start_idx + len(result)
                         text = text[:start_idx] + result + text[url_end_idx:]
                     elif start_idx >= anchor_allowed_pos:
-                        safe_link = self._safe_protocols.match(url) or url.startswith('#')
+                        safe_link = self._safe_href.match(url)
                         if self.safe_mode and not safe_link:
                             result_head = '<a href="#"%s>' % (title_str)
                         else:
@@ -1657,7 +1663,7 @@ def _do_links(self, text):
                             curr_pos = start_idx + len(result)
                             text = text[:start_idx] + result + text[match.end():]
                         elif start_idx >= anchor_allowed_pos:
-                            if self.safe_mode and not self._safe_protocols.match(url):
+                            if self.safe_mode and not self._safe_href.match(url):
                                 result_head = '<a href="#"%s>' % (title_str)
                             else:
                                 result_head = '<a href="%s"%s>' % (self._protect_url(url), title_str)

test/tm-cases/basic_safe_mode.html

@@ -6,13 +6,13 @@
 
 <p>[HTML_REMOVED]alert(1)[HTML_REMOVED]</p>
 
-<p><a href="http://example.com&quot;onclick=&quot;alert(1)">link1</a></p>
+<p><a href="#">link1</a></p>
 
 <p><a href="http://example.com" title="title&quot;onclick=&quot;alert(1)">link2</a></p>
 
-<p><a href="http://example.com&gt;[HTML_REMOVED]alert(1)[HTML_REMOVED]">link3</a></p>
+<p><a href="#">link3</a></p>
 
-<p><a href="http://example.com&gt;[HTML_REMOVED]alert(1)[HTML_REMOVED]">link4 &gt;[HTML_REMOVED]alert(1)[HTML_REMOVED]</a></p>
+<p><a href="#">link4 &gt;[HTML_REMOVED]alert(1)[HTML_REMOVED]</a></p>
 
 <p><a href="#">link5</a></p>
 

test/tm-cases/relative_links_safe_mode.html

@@ -0,0 +1,6 @@
+<p><a href="https://www.hostname.com/absolute/path">link1</a>
+<a href="https://www.hostname.com/absolute/path#anchor-on-another-page">link2</a>
+<a href="#anchor-on-this-page">link3</a>
+<a href="/">link4</a>
+<a href="/absolute/path">link5</a>
+<a href="../relative/path">link6</a></p>

test/tm-cases/relative_links_safe_mode.opts

@@ -0,0 +1 @@
+{"safe_mode": "escape"}

test/tm-cases/relative_links_safe_mode.text

@@ -0,0 +1,6 @@
+[link1](https://www.hostname.com/absolute/path)
+[link2](https://www.hostname.com/absolute/path#anchor-on-another-page)
+[link3](#anchor-on-this-page)
+[link4](/)
+[link5](/absolute/path)
+[link6](../relative/path)