Possible code injection about autolink-java HOT 6 CLOSED

Yeah, I'm fully aware of this, that's why there is a note for that example:

Note that it doesn't handle escaping at all

But maybe I should either:

• Not include this example at all, as it's dangerous if someone copied it like that
• Change the example so that it escapes all parts of text
• Change the example so that it parses the input as HTML and only finds links in text (to prevent double linking)

Note that even your suggested change of using Encode would have problems in the real world, as it wouldn't escape text outside links.

What do you think?

from autolink-java.

First, the URLs really should not include characters not allowed in URLs. According to this post on Stackoverflow double quotes are not legal.

Giving an example in the readme is important, I wouldn't have learned about the AutoLink class otherwise. As a general effort to spread knowledge about important security best practices, it's maybe a good thing to include usage of Encode.

If you are using the library as a tool to create HTML out of some kind of plaintext, that plaintext needs to be sanitized before using it to autolink. That's what I do in my real world application; only during autolinking some of it becomes unwanted code again.

from autolink-java.

I was following Rinku's behavior in this case. Having said that, I don't think stopping URL's at " would be a problem in practice, so I'm open to changing it. Or did you want to work on that?

I'll update the example when I find some time.

from autolink-java.

Ok, I've:

• Pushed a change to stop URLs at "
• Created PR #25 to deprecate renderLinks by making it possible to write the example in a much more straightforward way (and handle escaping correctly for the rest of the text too):

Iterable<Span> spans = linkExtractor.extractSpans(input);

StringBuilder sb = new StringBuilder();
for (Span span : spans) {
    String text = input.substring(span.getBeginIndex(), span.getEndIndex());
    if (span instanceof LinkSpan) {
        // span is a URL
        sb.append("<a href=\"");
        sb.append(Encode.forHtmlAttribute(text));
        sb.append("\">");
        sb.append(Encode.forHtml(text));
        sb.append("</a>");
    } else {
        // span is plain text before/after link
        sb.append(Encode.forHtml(text));
    }
}
result = sb.toString();

from autolink-java.

@mindhaq nothing? Ok. I'm gonna merge that PR.

from autolink-java.

I have since released this change as 0.9.0, see CHANGELOG: https://github.com/robinst/autolink-java/blob/master/CHANGELOG.md#090---2018-06-04

from autolink-java.