Merge branch 'master' into fix/js-prevent-multiple-submit

pkvach · Mar 11, 2024 · a1f92a1 · a1f92a1
2 parents f93f9b0 + 90aa041
commit a1f92a1
Show file tree

Hide file tree

Showing 4 changed files with 68 additions and 0 deletions.
diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
@@ -0,0 +1,59 @@
+name: Docker Build
+
+on:
+  push:
+    branches:
+      - "master"
+    tags:
+      - "*"
+  pull_request:
+
+env:
+  build_platforms: ${{ vars.BUILD_PLATFORMS || 'linux/amd64,linux/arm64/v8' }}
+  build_image: ${{ vars.BUILD_IMAGE || 'ghcr.io/isso-comments/isso' }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          flavor: |
+            latest=false
+          images: ${{ env.build_image }}
+          tags: |
+            type=ref,event=pr
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{version}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Login to Github Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v4
+        with:
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: ${{ env.build_platforms }}
+
+      - name: Image digest
+        run: echo ${{ steps.docker_build.outputs.digest }}
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -22,11 +22,13 @@ Bugfixes & Improvements
 - Changed website validation to allow domain names containing umlauts (`#951`_, schneidr)
 - Improve Spanish translation (`#967`_, welpo)
 - Make language code handling more robust (`#983`_, ix5)
+- Prevent auto creation of invalid links in comments (`#995`_, pkvach)
 - Disable Postbox submit button on click, enable after response (`#993`_, pkvach)
 
 .. _#951: https://github.com/posativ/isso/pull/951
 .. _#967: https://github.com/posativ/isso/pull/967
 .. _#983: https://github.com/posativ/isso/pull/983
+.. _#995: https://github.com/isso-comments/isso/pull/995
 .. _#993: https://github.com/isso-comments/isso/pull/993
 
 0.13.1.dev0 (2023-02-05)

diff --git a/isso/tests/test_html.py b/isso/tests/test_html.py
@@ -67,6 +67,8 @@ def test_sanitizer(self):
              ['<a href="http://example.org/" rel="nofollow noopener">Ha</a>',
               '<a rel="nofollow noopener" href="http://example.org/">Ha</a>']),
             ('<a href="sms:+1234567890">Ha</a>', '<a>Ha</a>'),
+            ('ld.so', 'ld.so'),
+            ('/usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so', '/usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so'),
             ('<p style="visibility: hidden;">Test</p>', '<p>Test</p>'),
             ('<script>alert("Onoe")</script>', 'alert("Onoe")')]
 

diff --git a/isso/utils/html.py b/isso/utils/html.py
@@ -27,6 +27,11 @@ def sanitize(self, text):
         clean_html = bleach.clean(text, tags=self.elements, attributes=self.attributes, strip=True)
 
         def set_links(attrs, new=False):
+            # Linker can misinterpret text as a domain name and create new invalid links.
+            # To prevent this, we only allow existing links to be modified.
+            if new:
+                return None
+
             href_key = (None, u'href')
 
             if href_key not in attrs: