[aur-dev] [PATCH] Make external links in comments clickable (FS#20137).

Lukas Fleischer archlinux at cryptocrack.de
Fri Oct 1 08:50:57 EDT 2010

On Fri, Oct 01, 2010 at 02:15:41PM +0200, PyroPeter wrote:
> I did not mean to offend you, and after applying the patch (which I
> should have done before sending the mails, you are right) your code
> in fact seems to work a lot better then I thought.

I didn't feel offended in any way, but reporting bugs that don't exist
is just counterproductive and a waste of time.

> While testing, I found a bug:
> Post this URL: http://foo.bar/<><>
> It seems to trigger two bugs at once, first, the regex does not match
> whole URL, and second, the href is escaped twice.

I already said that there might be problems if the URL contains quotes
or less-than/greater-than symbols in another mail [1]. This can be fixed
by removing the first str_replace() (which I also proposed in the same
mail) or by repeating the second str_replace() for """, "'",
"<" and ">" (which might be even better from the perspective of
security). However, I don't think such URLs will be a common use case.

The second "bug" is expected behaviour, since punctuation marks at the
end of URLs shouldn't be included in the URL itself (imagine someone
putting a link at the end of a senctence). This is also how DokuWiki and
Flyspray behave. If there really is an URL requiring a punctuation mark
at the end of the URL (which there shouldn't be at all), this can be
remarked in the comment itself.


More information about the aur-dev mailing list