Issue 341 - XSS in link text

[xurble]

This will apply escaping on link text which can currently inject XSS

Fixes #341

[nicholasserra]

What's up with the removed_text and removed_text_compat variable changes here? Did you run into an issue with the existing replacement?

[xurble]

Yeah, it inserts the removed text “HTML_REMOVED” when it takes out something bad.

Obviously that’s got an underscore in it so if you have more than one in a paragraph you get unwanted italics.

It broke a bunch of unit tests.

I changed the string inserted to something innocuous and then I change it back to “HTML_REMOVED” later on in the pipeline after the italics replacement has run.

It’s a little cheesy but it passes all the unit tests.

[nicholasserra]

Gotcha. I'll take a better look at this sometime this week. If you search the main code for md5, you'll see there's some similar things happening, but using an md5 hash as a temporary placeholder.

[nicholasserra]

I don't love the replacement here but it'll do for now. Passes tests and fixes the issue. Thanks!