restrict link protocols in safe mode

[alanhamlett]

Related to #51 and #174.

When safe_mode is truthy, only allows http, https, and ftp protocols in links to prevent XSS.

[nicholasserra]

Nice, thank you

[nicholasserra]

@trentm We could probably use a release and new version. I think we're past due ha

[nicholasserra]

@alanhamlett I may revert this as #233 was brought to my attention. Should urls be unescaped with safe mode on? I think that this patch may need to be more specific in keeping urls unescaped.

[alanhamlett]

Ok, we shouldn't escape urls when safe mode is on? I can submit a new PR with only the necessary changes, or all if it's reverted?

[nicholasserra]

Bringing @lopopolo in on this conversation as he made the report. I don't actually know what is the most "correct" way to handle this. aka either:

1. Safe mode escapes everything including stuff in links
2. Safe mode escapes everything except for what we want to exclude.

[lopopolo]

I'd consider the way django handles autoescaping

Escapes a string’s HTML. Specifically, it makes these replacements:

< is converted to &lt;
> is converted to &gt;
' (single quote) is converted to &#39;
" (double quote) is converted to &quot;
& is converted to &amp;

This patch doesn't escape input; it urlencodes it. URL encoding should be applied to URL parameters. Not HTML content.

[strindhaug]

What is "safe_mode" supposed to do? I can't find any documentation about it.

If safe mode actually is supposed to break all links (as it does now), why bother converting the link syntax [a link](http://example.com) into an invalid link <a href="http://my-forum-domain.com/forum/forum/sometopic/http%3A%2F%2Fexample.com">a link</a> in the first place. Why not just strip the links completely, and replace it with the text [links not allowed] or something.

The same applies to images. Why not just remove images instead of leaving a broken image tag, for perfectly innocent image urls, if "safe_mode" is supposed to break all urls.

[alanhamlett]

@strindhaug safe mode shouldn't break links or images, it should just urlencode them. I htmlencoded them to prevent injecting javascript into elements, but I'll switch to urlencoding to fix this.

[strindhaug]

@alanhamlett But url'encoding the whole url does break images and links, because changing http:// to http%3A%2F%2F changes the url from an absolute url to (almost guaranteed to be invalid) relative url.

Try adding this to test/tm-cases/basic_safe_mode.text

![ok img](http://example.com/image.gif?h=200&w=500)

[link ok](http://example.com)

and this to test/tm-cases/basic_safe_mode.html:

<p><img src="http://example.com/image.gif?h=200&amp;w=500" alt="ok img" /></p>

<p><a href="http://example.com">link ok</a></p>

[nicholasserra]

Fixed in #236 thanks everyone!