Description
When using autolink on a text including a link like this one
www.google.com"onclick="alert('gotcha!')
And render the output as it is suggested in the example:
String result = Autolink.renderLinks(input, links, (link, text, sb) -> {
sb.append("<a href=\"");
sb.append(text, link.getBeginIndex(), link.getEndIndex());
sb.append("\">");
sb.append(text, link.getBeginIndex(), link.getEndIndex());
sb.append("</a>");
});
the output will be
<a href="www.google.com"onclick="alert('gotcha!')">www.google.com"onclick="alert('gotcha!')</a>"
which is strictly speaking invalid HTML, but browsers will still execute the click handler. See https://jsfiddle.net/vLjLLo8n/2/ to try it out.
I understand that appending a subsequence to the StringBuilder is the more efficient than providing the link as a String, but to make this secure, you would need to get the substring and perform encoding on it.
So, for example using OWASP Java Encoder, the rendering needs to be done like this:
String result = Autolink.renderLinks(input, links, (link, text, sb) -> {
String linkString = new StringBuilder().append(text, link.getBeginIndex(), link.getEndIndex()).toString();
sb.append("<a href=\"");
sb.append(Encode.forHtmlAttribute(linkString));
sb.append("\">");
sb.append(Encode.forHtml(linkString));
sb.append("</a>");
});
resulting in a safe output:
<a href="www.google.com"onclick="alert('gotcha!')">www.google.com"onclick="alert('gotcha!')</a>
Easiest fix for this particular problem would probably be if autolink would not include single or double quotes, or any other character not legal in a URL.
(EDIT: single quotes are legal characters)
A possibly breaking API change would be to provide the linkString as part of the LinkSpan interface.