Included django.utils.html.escape() in the linkify() code, and removed it from various templates, to make sure escape is consistently applied before linkify. Fixes issue ietf-tools#2492.

 - Legacy-Id: 15035

Author: levkowetz

ietf/templates/doc/document_ballot_content.html

@@ -93,7 +93,7 @@ <h4 class="anchor-target" id="{{ p.ad.plain_name|slugify }}">
             <div class="panel-heading">
               <h5 class="panel-title"><b>{{ p.pos.name }}</b> ({{ p.discuss_time|date:"Y-m-d" }}{% if not p.for_current_revision %} for -{{ p.get_dochistory.rev}}{% endif %})</h5>
             </div>
-            <div class="panel-body"><pre class="ballot pasted">{{ p.discuss|escape|linkify }}</pre></div>
+            <div class="panel-body"><pre class="ballot pasted">{{ p.discuss|linkify }}</pre></div>
           </div>
         {% endif %}
 
@@ -102,7 +102,7 @@ <h5 class="panel-title"><b>{{ p.pos.name }}</b> ({{ p.discuss_time|date:"Y-m-d"
             <div class="panel-heading">
               <h5 class="panel-title"><b>Comment</b> ({{ p.comment_time|date:"Y-m-d" }}{% if not p.for_current_revision %} for -{{ p.get_dochistory.rev}}{% endif %})</h5>
             </div>
-            <div class="panel-body"><pre class="ballot pasted">{{ p.comment|escape|linkify }}</pre></div>
+            <div class="panel-body"><pre class="ballot pasted">{{ p.comment|linkify }}</pre></div>
           </div>
         {% endif %}
       {% endfor %}

ietf/templates/doc/document_review.html

@@ -55,6 +55,6 @@
   <h2>{{ doc.type.name }}<br><small>{{ doc.name }}</small></h2>
 
   {% if doc.rev and content != None %}
-    <pre class="pasted">{{ content|linkify|safe|sanitize }}</pre>
+    <pre class="pasted">{{ content|linkify }}</pre>
   {% endif %}
 {% endblock %}

ietf/templates/doc/drafts_in_iesg_process.html

@@ -47,7 +47,7 @@ <h1>{{ title }}</h1>
 	      <a href="{% url "ietf.doc.views_doc.document_main" doc.name %}">{{ doc.name }}</a>
           <br><b>{{ doc.title }}</b>
 	      {% if doc.note %}
-	        <br><i>Note: {{ doc.note|linebreaksbr|linkify }}</i>
+	        <br><i>Note: {{ doc.note|linkify|linebreaksbr }}</i>
 	      {% endif %}
             </td>
           <td>{{ doc.intended_std_level.name }}</td>

ietf/templates/doc/shepherd_writeup.html

@@ -12,7 +12,7 @@
   {% origin %}
   <h1>Shepherd writeup<br><small>{{ doc.canonical_name }}-{{ doc.rev }}</small></h1>
 
-  <pre class="pasted">{{writeup|escape|linkify}}</pre>
+  <pre class="pasted">{{writeup|linkify}}</pre>
 
   {% if can_edit %}
     <a class="btn btn-primary" href="{% url 'ietf.doc.views_draft.edit_shepherd_writeup' name=doc.name %}">Edit</a>

ietf/templates/group/all_status.html

@@ -29,7 +29,7 @@ <h2> {{area_item.grouper.acronym|upper}}
                <span class="label label-success">{{ rpt.group.state.slug|upper }}</span> 
             {% endif %}
            <br> {{rpt.time|date:"Y-m-d"}}</td>
-      <td><pre class="pasted">{{ rpt.desc|default:"(none)"|escape|linkify }}</pre></td>
+      <td><pre class="pasted">{{ rpt.desc|default:"(none)"|linkify }}</pre></td>
      </tr>
     {% endfor %}
 </table>
@@ -44,7 +44,7 @@ <h2> IRTF <small>Internet Research Task Force</small> </h2>
               <span class="label label-success">{{ rpt.group.state.slug|upper }}</span> 
            {% endif %}
           <br> {{rpt.time|date:"Y-m-d"}}</td>
-    <td><pre class="pasted">{{ rpt.desc|default:"(none)"|escape|linkify }}</pre></td>
+    <td><pre class="pasted">{{ rpt.desc|default:"(none)"|linkify }}</pre></td>
   </tr>
 {% endfor %}
 </table>

ietf/templates/group/group_about_status.html

@@ -16,7 +16,7 @@ <h1>
     Status update for {{ group.type.name }} {{ group.acronym }}
   </h1>
 
-  <pre class="pasted">{{ status_update.desc|default:"(none)"|escape|linkify }}</pre>
+  <pre class="pasted">{{ status_update.desc|default:"(none)"|linkify }}</pre>
 
   {% if can_provide_status_update %}
     <a id="edit_button" class="btn btn-primary" href="{% url "ietf.group.views.group_about_status_edit" acronym=group.acronym %}">Edit</a>

ietf/templates/group/group_about_status_meeting.html

@@ -16,7 +16,7 @@ <h1>
     Status update for {{ group.type.name }} {{ group.acronym }} at {{meeting}}
   </h1>
 
-  <pre class="pasted">{{ status_update.desc|default:"(none)"|escape|linkify }}</pre>
+  <pre class="pasted">{{ status_update.desc|default:"(none)"|linkify }}</pre>
 
   <a class="btn btn-default pull-right" href="{% url "ietf.meeting.views.proceedings" num=meeting.number %}">Back</a>
 

ietf/utils/templatetags/textfilters.py

@@ -4,6 +4,7 @@
 
 from django import template
 from django.template.defaultfilters import stringfilter
+from django.utils.html import escape
 from django.utils.safestring import mark_safe
 
 import debug                            # pyflakes:ignore
@@ -71,5 +72,5 @@ def texescape_filter(value):
 @register.filter
 @stringfilter
 def linkify(value):
-    text = mark_safe(bleach.linkify(value))
+    text = mark_safe(bleach.linkify(escape(value)))
     return text