text annotations: < in href params breaks href tag

[endymonium]

Hi,

I would like to show a link in chart, unfortunately that links query contains a '<', which leads to plotly not recognizing it as a link: https://jsfiddle.net/2krwamLv/1/

If I encode the '<' manually prior, plotly encodes it again. I looked at the code https://github.com/plotly/plotly.js/blob/master/src/lib/svg_text_utils.js#L214-L221 but I found no easy way around this.

Any ideas?

Thanks,
Jan

[alexcjohnson]

Thanks for the report @endymonium - you're correct, I don't see any workaround without altering the code. This is a tricky section of code, due to the risk of XSS, but seems to me there are two things we can do, either one of which would give you a workaround:

1. Allow already-escaped href attributes to be used verbatim - perhaps this would be as easy as replacing this line nodeSpec.href = encodeURI(href); with nodeSpec.href = encodeURI(decodeURI(href)); since the decodeURI is a noop if the URI is already decoded, but would prevent double encoding.
2. Be smarter about SPLIT_TAGS and ONE_TAG to allow < and > inside attribute strings, which does seem like it would match the permissiveness of browsers, at least as far as href is concerned. This we would need to be very careful about though, security-wise, as these characters could be dangerous in other attributes that we don't explicitly sanitize later.

Option 1 seems fairly straightforward, and would just need to be paired with a test or two in svg_text_utils_test.js of the kind of links this allows us to support. Feel like giving it a try?