Markdown: fix double escaping URLs in safelink

* Markdown: fix double escaping URLs in safelink * add tests * fix isort
2026-05-05 15:14:04 +00:00 · 2026-01-29 12:14:12 +01:00
parent 4f521022f5
commit 1e2900ad2a
2 changed files with 43 additions and 1 deletions
--- a/src/tests/base/test_rich_text.py
+++ b/src/tests/base/test_rich_text.py
@@ -19,7 +19,11 @@
 # You should have received a copy of the GNU Affero General Public License along with this program.  If not, see
 # <https://www.gnu.org/licenses/>.
 #
+import html
+import urllib.parse
+
 import pytest
+from django.core import signing

 from pretix.base.templatetags.rich_text import (
    ALLOWED_ATTRIBUTES, ALLOWED_TAGS, markdown_compile_email, rich_text,
@@ -43,6 +47,10 @@ from pretix.base.templatetags.rich_text import (
            "[Foo](/foo)",
            '<a href="http://example.com/foo" rel="noopener" target="_blank">Foo</a>',
        ),
+        (
+            "[Foo](/foo?bar&baz)",
+            '<a href="http://example.com/foo?bar&amp;baz" rel="noopener" target="_blank">Foo</a>',
+        ),
        ("mail@example.org", '<a href="mailto:mail@example.org">mail@example.org</a>'),
        # Test truelink_callback
        (
@@ -111,6 +119,40 @@ def test_linkify_abs(link):
    assert markdown_compile_email(input) == f"<p>{output}</p>"


+signer = signing.Signer(salt='safe-redirect')
+
+
+@pytest.mark.parametrize(
+    "url,result",
+    [
+        ('http://example.com/foo', '<a href="/redirect/?url={}" rel="noopener" target="_blank">{}</a>'),
+        ('http://example.com/foo?bar&baz', '<a href="/redirect/?url={}" rel="noopener" target="_blank">{}</a>'),
+        ('http://example.com/foo?bar&baz>', '<a href="/redirect/?url={}" rel="noopener" target="_blank">{}</a>'),
+        (
+            'http://example.com/foo?bar&baz">',
+            '<a href="/redirect/?url={}" rel="noopener" target="_blank">{}</a>"&gt;'.format(
+                urllib.parse.quote(signer.sign('http://example.com/foo?bar&baz')),
+                html.escape('http://example.com/foo?bar&baz'),
+            )
+        ),
+        (
+            'http://example.com/foo?bar&baz\\">',
+            '<a href="/redirect/?url={}" rel="noopener" target="_blank">{}</a>\\"&gt;'.format(
+                urllib.parse.quote(signer.sign('http://example.com/foo?bar&baz')),
+                html.escape('http://example.com/foo?bar&baz'),
+            )
+        ),
+    ],
+)
+def test_linkify_safelinks(url, result):
+    output = result.format(
+        urllib.parse.quote(signer.sign(url)),
+        html.escape(url),
+    )
+    assert rich_text_snippet(url, safelinks=True) == output
+    assert rich_text(url, safelinks=True) == f"<p>{output}</p>"
+
+
@pytest.mark.parametrize(
    "content,result",
    [