fix: escape linkify filter input (#9389)

jennifer-richards · web-flow · commit b7da3d7a779f · 2025-08-21T08:25:49.000-05:00
* fix: escape linkify filter input

* test: exercise linkify

* chore: lint
diff --git a/ietf/utils/templatetags/tests.py b/ietf/utils/templatetags/tests.py
@@ -3,6 +3,7 @@
 from django.template import Context, Origin, Template
 from django.test import override_settings
 
+from ietf.utils.templatetags.textfilters import linkify
 from ietf.utils.test_utils import TestCase
 import debug  # pyflakes: ignore
 
@@ -39,3 +40,68 @@ def test_origin_outside_base_dir(self):
                 output = template.render(Context())
                 self.assertNotIn(component, output,
                                  'Full path components should not be revealed in html')
+
+
+class TextfiltersTests(TestCase):
+    def test_linkify(self):
+        # Cases with autoescape = True (the default)
+        self.assertEqual(
+            linkify("plain string"),
+            "plain string",
+        )
+        self.assertEqual(
+            linkify("https://www.ietf.org"),
+            '<a href="https://www.ietf.org">https://www.ietf.org</a>',
+        )
+        self.assertEqual(
+            linkify('<a href="https://www.ietf.org">IETF</a>'),
+            (
+                '&lt;a href=&quot;<a href="https://www.ietf.org">https://www.ietf.org</a>&quot;&gt;IETF&lt;/a&gt;'
+            ),
+        )
+        self.assertEqual(
+            linkify("somebody@example.com"),
+            '<a href="mailto:somebody@example.com">somebody@example.com</a>',
+        )
+        self.assertEqual(
+            linkify("Some Body <somebody@example.com>"),
+            (
+                'Some Body &lt;<a href="mailto:somebody@example.com">'
+                'somebody@example.com</a>&gt;'
+            ),
+        )
+        self.assertEqual(
+            linkify("<script>alert('h4x0r3d');</script>"),
+            "&lt;script&gt;alert(&#x27;h4x0r3d&#x27;);&lt;/script&gt;",
+        )
+
+        # Cases with autoescape = False (these are dangerous and assume the caller
+        # has sanitized already)
+        self.assertEqual(
+            linkify("plain string", autoescape=False),
+            "plain string",
+        )
+        self.assertEqual(
+            linkify("https://www.ietf.org", autoescape=False),
+            '<a href="https://www.ietf.org">https://www.ietf.org</a>',
+        )
+        self.assertEqual(
+            linkify('<a href="https://www.ietf.org">IETF</a>', autoescape=False),
+            '<a href="https://www.ietf.org">IETF</a>',
+        )
+        self.assertEqual(
+            linkify("somebody@example.com", autoescape=False),
+            '<a href="mailto:somebody@example.com">somebody@example.com</a>',
+        )
+        # bleach.Linkifier translates the < -> &lt; and > -> &gt; on this one
+        self.assertEqual(
+            linkify("Some Body <somebody@example.com>", autoescape=False),
+            (
+                'Some Body &lt;<a href="mailto:somebody@example.com">'
+                'somebody@example.com</a>&gt;'
+            ),
+        )
+        self.assertEqual(
+            linkify("<script>alert('friendly script');</script>", autoescape=False),
+            "<script>alert('friendly script');</script>",
+        )
diff --git a/ietf/utils/templatetags/textfilters.py b/ietf/utils/templatetags/textfilters.py
@@ -7,6 +7,7 @@
 from django import template
 from django.conf import settings
 from django.template.defaultfilters import stringfilter
+from django.utils.html import conditional_escape
 from django.utils.safestring import mark_safe
 
 import debug                            # pyflakes:ignore
@@ -71,10 +72,13 @@ def texescape_filter(value):
     "A TeX escape filter"
     return texescape(value)
     
-@register.filter
+@register.filter(needs_autoescape=True)
 @stringfilter
-def linkify(value):
-    text = mark_safe(_linkify(value))
+def linkify(value, autoescape=True):
+    if autoescape:
+        # Escape unless the input was already a SafeString
+        value = conditional_escape(value)
+    text = mark_safe(_linkify(value))  # _linkify is a safe operation
     return text
 
 @register.filter
diff --git a/ietf/utils/text.py b/ietf/utils/text.py
@@ -60,6 +60,12 @@ def check_url_validity(attrs, new=False):
 
 
 def linkify(text):
+    """Convert URL-ish substrings into HTML links
+    
+    This does no sanitization whatsoever. Caller must sanitize the input or output as
+    contextually appropriate. Do not call `mark_safe()` on the output if the input is
+    user-provided unless it has been sanitized or escaped.
+    """
     return _bleach_linker.linkify(text)
 
 
