Prevent javascript:// URLs from linking in text fields.

Review Request #896 - Created Oct. 2, 2017 and updated

Review Board
When rendering text for text fields, we attempt to turn anything that
looks like a link into an actual link, to make it easier to navigate to
any referenced URLs. However, this logic also catches `javascript://`
URLs, which can be used to execute code from within the context of the

This change moves to a URI scheme whitelist, allowing safe URLs to be
opened, while disallowing everything else (including `javascript:`
URLs). This prevents users from accidentally clicking a malicious link.

The major types of schemes people care about are whitelisted, along with
a few more obscure ones (including `gopher://`, why not). It's easy to
add more supported types to the whitelist.

We don't need to guard against malicious URLs in Markdown links, as
Python-Markdown already whitelists schemes itself.

Testing Done:
Unit tests pass.

Manually tested a variety of supported and unsupported URLs, to check
that linking was working correctly.

Reviewed at

  • 0
  • 0
  • 2
  • 2
  • 4
Description From Last Updated