Markdown: fix double escaping URLs in safelink

* Markdown: fix double escaping URLs in safelink

* add tests

* fix isort

src/pretix/base/templatetags/rich_text.py

@@ -156,7 +156,7 @@ def safelink_callback(attrs, new=False):
     Makes sure that all links to a different domain are passed through a redirection handler
     to ensure there's no passing of referers with secrets inside them.
     """
-    url = attrs.get((None, 'href'), '/')
+    url = html.unescape(attrs.get((None, 'href'), '/'))
     if not url_has_allowed_host_and_scheme(url, allowed_hosts=None) and not url.startswith('mailto:') and not url.startswith('tel:'):
         signer = signing.Signer(salt='safe-redirect')
         attrs[None, 'href'] = reverse('redirect') + '?url=' + urllib.parse.quote(signer.sign(url))

src/tests/base/test_rich_text.py

@@ -19,7 +19,11 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+import html
+import urllib.parse
+
 import pytest
+from django.core import signing
 
 from pretix.base.templatetags.rich_text import (
     ALLOWED_ATTRIBUTES, ALLOWED_TAGS, markdown_compile_email, rich_text,
@@ -43,6 +47,10 @@ from pretix.base.templatetags.rich_text import (
             "[Foo](/foo)",
             '<a href="http://example.com/foo" rel="noopener" target="_blank">Foo</a>',
         ),
+        (
+            "[Foo](/foo?bar&baz)",
+            '<a href="http://example.com/foo?bar&amp;baz" rel="noopener" target="_blank">Foo</a>',
+        ),
         ("mail@example.org", '<a href="mailto:mail@example.org">mail@example.org</a>'),
         # Test truelink_callback
         (
@@ -111,6 +119,40 @@ def test_linkify_abs(link):
     assert markdown_compile_email(input) == f"<p>{output}</p>"
 
 
+signer = signing.Signer(salt='safe-redirect')
+
+
+@pytest.mark.parametrize(
+    "url,result",
+    [
+        ('http://example.com/foo', '<a href="/redirect/?url={}" rel="noopener" target="_blank">{}</a>'),
+        ('http://example.com/foo?bar&baz', '<a href="/redirect/?url={}" rel="noopener" target="_blank">{}</a>'),
+        ('http://example.com/foo?bar&baz>', '<a href="/redirect/?url={}" rel="noopener" target="_blank">{}</a>'),
+        (
+            'http://example.com/foo?bar&baz">',
+            '<a href="/redirect/?url={}" rel="noopener" target="_blank">{}</a>"&gt;'.format(
+                urllib.parse.quote(signer.sign('http://example.com/foo?bar&baz')),
+                html.escape('http://example.com/foo?bar&baz'),
+            )
+        ),
+        (
+            'http://example.com/foo?bar&baz\\">',
+            '<a href="/redirect/?url={}" rel="noopener" target="_blank">{}</a>\\"&gt;'.format(
+                urllib.parse.quote(signer.sign('http://example.com/foo?bar&baz')),
+                html.escape('http://example.com/foo?bar&baz'),
+            )
+        ),
+    ],
+)
+def test_linkify_safelinks(url, result):
+    output = result.format(
+        urllib.parse.quote(signer.sign(url)),
+        html.escape(url),
+    )
+    assert rich_text_snippet(url, safelinks=True) == output
+    assert rich_text(url, safelinks=True) == f"<p>{output}</p>"
+
+
 @pytest.mark.parametrize(
     "content,result",
     [