Allow the list of Markdown-safe URL protocols to be customized.
Review Request #11601 — Created May 11, 2021 and submitted — Latest diff uploaded
When adding the enhanced HTML/URL sanitization for Markdown rendering in
Review Board 3.0.22, we broke a particular use case from one of our
users. They were making use of
eclipse://URLs, which linked to some
part of their Eclipse setup. The only URL protocols allowed were
mailto:, and anything else got basically
stripped away or turned into text.
It's likely this user's use case isn't unique. To support it, we're
introducing an advanced setting in
ALLOWED_MARKDOWN_URL_PROTOCOLS. This can be set to a list of URL
protocols considered safe, and will supplement the defaults.
There's no configuration for this, and it's not currently documented
outside of an entry in
settings.py, but it'll be available as a
feature in 3.0.24.
Unit tests pass.