Comments (6)
Yeah, I'm fully aware of this, that's why there is a note for that example:
Note that it doesn't handle escaping at all
But maybe I should either:
- Not include this example at all, as it's dangerous if someone copied it like that
- Change the example so that it escapes all parts of text
- Change the example so that it parses the input as HTML and only finds links in text (to prevent double linking)
Note that even your suggested change of using Encode
would have problems in the real world, as it wouldn't escape text outside links.
What do you think?
from autolink-java.
First, the URLs really should not include characters not allowed in URLs. According to this post on Stackoverflow double quotes are not legal.
Giving an example in the readme is important, I wouldn't have learned about the AutoLink class otherwise. As a general effort to spread knowledge about important security best practices, it's maybe a good thing to include usage of Encode
.
If you are using the library as a tool to create HTML out of some kind of plaintext, that plaintext needs to be sanitized before using it to autolink. That's what I do in my real world application; only during autolinking some of it becomes unwanted code again.
from autolink-java.
I was following Rinku's behavior in this case. Having said that, I don't think stopping URL's at "
would be a problem in practice, so I'm open to changing it. Or did you want to work on that?
I'll update the example when I find some time.
from autolink-java.
Ok, I've:
- Pushed a change to stop URLs at
"
- Created PR #25 to deprecate
renderLinks
by making it possible to write the example in a much more straightforward way (and handle escaping correctly for the rest of the text too):
Iterable<Span> spans = linkExtractor.extractSpans(input);
StringBuilder sb = new StringBuilder();
for (Span span : spans) {
String text = input.substring(span.getBeginIndex(), span.getEndIndex());
if (span instanceof LinkSpan) {
// span is a URL
sb.append("<a href=\"");
sb.append(Encode.forHtmlAttribute(text));
sb.append("\">");
sb.append(Encode.forHtml(text));
sb.append("</a>");
} else {
// span is plain text before/after link
sb.append(Encode.forHtml(text));
}
}
result = sb.toString();
from autolink-java.
@mindhaq nothing? Ok. I'm gonna merge that PR.
from autolink-java.
I have since released this change as 0.9.0, see CHANGELOG: https://github.com/robinst/autolink-java/blob/master/CHANGELOG.md#090---2018-06-04
from autolink-java.
Related Issues (20)
- xss attacks questions HOT 5
- Don't autolink if authority is only "end" characters HOT 2
- support of git/github links automatic linking HOT 3
- Potentially misparsed URL HOT 3
- Adapt autolink-java to replace rinku in JRuby HOT 1
- Links with non-ASCII characters are not always extracted HOT 1
- URL Parsing getting stuck for non clickable URL HOT 3
- URL having consecutive "https://https://" are parsed as it is HOT 1
- Creole links contain the link text as well HOT 2
- Extract Phone numbers (request) HOT 1
- Linkify domain-only links (without scheme or www) HOT 1
- Do not insert HtmlTag when there is already a tag HOT 1
- Issue in extracting links if they are just extracted by commas HOT 1
- Some url without http and www domain HOT 2
- Add jlink-compatible Java9/Jigsaw module-info
- Version 0.10.2 broke binary compatibility HOT 1
- URL containing a single quote in middle results in unexpected ending HOT 1
- Dealing with | symbol HOT 4
- Stop URL on < or > HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from autolink-java.