issue2551099 - disable processing of data url's in markdown.

Display as plain text.

Added 'data' to templating.py _disable_url_schemes array. User should
be able to re-enable it by changing the array from the tracker's
interfaces.py. Markdown tests failed before the change to
_disable_url_schemes.

Also add second separate data test for ReST and plain text processing.
data url's look like they are already ignored in these proess streams.

Author: rouilj

CHANGES.txt

@@ -45,6 +45,8 @@ Fixed:
 - issue2551097 - fix underlying bug in use of fenced codeblocks with
   markdown2. Fix for issue2551093 to prevent exception trigger.
   (patch: Cedric Krier)
+- issue2551099 - disable processing of data url's in markdown. Display
+  as plain text. (John Rouillard)
 
 Features:
 - issue2550522 - Add 'filter' command to command-line

roundup/cgi/templating.py

@@ -20,7 +20,7 @@
 __docformat__ = 'restructuredtext'
 
 # List of schemes that are not rendered as links in rst and markdown.
-_disable_url_schemes = [ 'javascript' ]
+_disable_url_schemes = [ 'javascript', 'data' ]
 
 import base64, cgi, re, os.path, mimetypes, csv, string
 import calendar

test/test_templating.py

@@ -281,9 +281,10 @@ def test_string_rst(self):
 </div>
 </div>
 '''
-	# test case to make sure javascript url's aren't turned into links
-        s = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'<badtag>\njavascript:badcode'))
-        s_result = '<div class="document">\n<p>&lt;badtag&gt;\njavascript:badcode</p>\n</div>\n'
+	# test case to make sure javascript and data url's aren't turned
+        # into links
+        s = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'<badtag>\njavascript:badcode data:text/plain;base64,SGVsbG8sIFdvcmxkIQ=='))
+        s_result = '<div class="document">\n<p>&lt;badtag&gt;\njavascript:badcode data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==</p>\n</div>\n'
 
         self.assertEqual(p.rst(), u2s(u'<div class="document">\n<p>A string with <a class="reference external" href="mailto:cmeerw&#64;example.com">cmeerw&#64;example.com</a> <em>embedded</em> \u00df</p>\n</div>\n'))
         self.assertEqual(q.rst(), u2s(q_result))
@@ -489,6 +490,16 @@ def test_string_markdown_javascript_link(self):
         p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'[link](javascript:alert(1))'))
         self.assertTrue(p.markdown().find('href="javascript:') == -1)
 
+    def test_string_markdown_data_link(self):
+        # make sure we don't get a "data:" link
+        p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'<data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==>'))
+        print(p.markdown())
+        self.assertTrue(p.markdown().find('href="data:') == -1)
+
+        p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'[data link](data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==)'))
+        print(p.markdown())
+        self.assertTrue(p.markdown().find('href="data:') == -1)
+
 
     def test_string_markdown_forced_line_break(self):
         p = StringHTMLProperty(self.client, 'test', '1', None, 'test', u2s(u'This is a set of text  \n:that should have a break  \n:at newlines. Each  \n:colon should be the start of an html line'))