Allow more relative links in safe mode (issue #517) #520
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes #517 by expanding the scope of the
_safe_href
regex to include more types of relative links.Previously, #513 was merged which allowed the following kinds of relative links:
But did not allow this:
[link](issue1)
The new regex should allow URLs to omit the protocol section of the URL or use relative paths instead of a protocol (eg:
./
,../
,/
) followed by a hostname, optional port number and then the rest of the URL.I've also expanded the number of accepted protocols to include
mailto:
andtel:
.Also, the
_safe_protocols
attribute has been re-introduced to allow users to extend the number of allowed protocols when operating in safe mode (see this comment).