Allow the list of Markdown-safe URL protocols to be customized.

Review Request #11601 — Created May 11, 2021 and submitted — Latest diff uploaded

Information

Review Board
release-3.0.x

Reviewers

When adding the enhanced HTML/URL sanitization for Markdown rendering in
Review Board 3.0.22, we broke a particular use case from one of our
users. They were making use of eclipse:// URLs, which linked to some
part of their Eclipse setup. The only URL protocols allowed were
http://, https://, and mailto:, and anything else got basically
stripped away or turned into text.

It's likely this user's use case isn't unique. To support it, we're
introducing an advanced setting in settings_local.py:
ALLOWED_MARKDOWN_URL_PROTOCOLS. This can be set to a list of URL
protocols considered safe, and will supplement the defaults.

There's no configuration for this, and it's not currently documented
outside of an entry in settings.py, but it'll be available as a
feature in 3.0.24.

Unit tests pass.

Commits

Files