Bizzare behavior when Linky meets double quotes("") and (>) in url #5946

sunderls · 2014-01-23T05:27:59Z

Hei, guys,

we are building a project using Angular, but found that filter linky have bizzare behavior when the url has double quotes and >

steps to reproduce
for this piece of raw text


https://www.google.co.jp/search?q="ddddd>test so

"linky" will generate something like this

<a href="https://www.google.co.jp/search?q=">test">https://www.google.co.jp/search?q="ddddd>test</a> so

looking at source code
the linky.js use this function to generate <a> element,

 function addLink(url, text) {
      html.push('<a ');
      if (angular.isDefined(target)) {
        html.push('target="');
        html.push(target);
        html.push('" ');
      }
      html.push('href="');
      html.push(url);
      html.push('">');
      addText(text);
      html.push('</a>');
    }

the thing is , new <a> element's attribute is surrounded by double quote ", and if the url detected from regexp also has double quote, problems occur. The html generated before sanitizing is

<a href="http://www.google.co.jp/search/?q="ddddd>test">http://www.google.co.jp/search/?q=&#34;ddddd&gt;test</a> so

after sanitizing, it becomes

<a href="http://www.google.co.jp/search/?q=">test&#34;&gt;http://www.google.co.jp/search/?q=&#34;ddddd&gt;test</a> so

as you can see, extra "test" comes and the link url is sliced.

if there is only double quote " and no >, the link text is ok but url is still not full.

Suggestion

Although it is not often to have " or > to be seen in a url , but since the Regexp used to detect link allows both of them, so I think maybe it's best to make look good.

maybe one way is to change " to ",

html.push(url.replace(/"/g,'&quot;');

The text was updated successfully, but these errors were encountered:

bilalq · 2014-08-01T22:50:42Z

+1

I'm running into this issue as well.

lgalfaso · 2014-11-18T23:04:31Z

this is tracked by #10090

Email addresses can (under certain restrictions) include double quote characters. See http://tools.ietf.org/html/rfc3696#section-3. For example, `"Jo Bloggs"@abc.com` is a valid email address. When serializing emails to the `href` attribute of an anchor element, we must HTML encode these double quote characters. See http://www.w3.org/TR/html-markup/syntax.html#syntax-attr-double-quoted This commit does not attempt to improve the functionality (i.e. regex) that attempts to identify email addresses in a general string. Closes #8945 Closes #8964 Closes #5946 Closes #10090 Closes #9256

Narretz added component: misc core labels Jun 21, 2014

Narretz added this to the Backlog milestone Jun 21, 2014

btford removed the gh: issue label Aug 20, 2014

jeffbcross modified the milestones: 1.3.0-rc.3, Backlog Sep 18, 2014

jeffbcross assigned jeffbcross and unassigned jeffbcross Sep 18, 2014

jeffbcross modified the milestones: 1.3.0-rc.3, 1.3.0 Sep 22, 2014

btford modified the milestones: Backlog, 1.3.0 Sep 30, 2014

lgalfaso closed this as completed Nov 18, 2014

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bizzare behavior when Linky meets double quotes("") and (>) in url #5946

Bizzare behavior when Linky meets double quotes("") and (>) in url #5946

sunderls commented Jan 23, 2014

bilalq commented Aug 1, 2014

lgalfaso commented Nov 18, 2014

Bizzare behavior when Linky meets double quotes("") and (>) in url #5946

Bizzare behavior when Linky meets double quotes("") and (>) in url #5946

Comments

sunderls commented Jan 23, 2014

bilalq commented Aug 1, 2014

lgalfaso commented Nov 18, 2014