-
-
Notifications
You must be signed in to change notification settings - Fork 7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix rendering <a>
without href
when scheme unsupported
#13040
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the link has Mastodon-style formatting, it will hide the invisible
parts and apply ellipsis
, making the link unusable. So there needs to be some extra processing, or the CSS needs to be reworked.
I'm not opposed to removing the Also, a |
c49dbd2
to
d0ba3fa
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems good overall, except for the inlined nitpicks
also, I'm not sure it makes sense to allow all the supported protocols (which shouldn't be called HTTP_PROTOCOLS
anymore) in embed
and iframe
tags
end | ||
rescue Addressable::URI::InvalidURIError | ||
nil | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This whole thing is done without fully parsing URLs in Sanitize
cf. https://github.com/rgrove/sanitize/blob/master/lib/sanitize/transformers/clean_element.rb#L143
It's probably safer (in terms of possible changed behaviors) and more CPU-efficient to do it the same way.
Btw, I think we should either reject URLs or rewrite them to be relative to the original status (an option I prefer, but is maybe not worth it).
8160ace
to
543551e
Compare
- Disallow links with relative paths - Disallow iframes with non-http protocols and relative paths Close #13037
543551e
to
1b5ca22
Compare
Close #13037
This replaces an
<a>
that has nohref
with its children. But maybe we don't want any children elements like<span>
to stick around?