[aur-dev][PATCH] Correctly handle package sources which do not validate as an url

Lukas Fleischer lfleischer at archlinux.org
Sun Apr 28 12:26:34 UTC 2019

On Sat, 27 Apr 2019 at 23:49:11, Eli Schwartz wrote:
> Ah... yeah, that is a pretty good point. I'd probably want to display
> that as straight up plaintext.
> It definitely should not be appended to the cgit url if it is a valid
> schema, though. And regarding not making a link at all (e.g. for the
> common git:// protocol), how would that play with renamed sources like
> "$pkgname::git://example.com/project-something"?

What's the problem with that?

We always remove the "$pkgname::" prefix. And then, this source would be
shown as "git://example.com/project-something" without linking to

> I wish php had a schema validator that wasn't broken... python's
> urlparse cleverly handles all this nonsense, and you can just refuse to
> print urls with ParseResult(scheme='javascript',...). Maybe we should do
> string comparisons to reject javascript schemes? Is there anything else
> which matters in this context?

We could do that. But why blacklist instead of whitelist for such a
minor feature? I suggest to convert local links to cgit URLs, convert
HTTP/HTTPs/FTP to absolute links, and display everything else in plain


More information about the aur-dev mailing list