Bug(s) in Discourse handing of URIs in markdown content

urn:records:test:3 is a valid RFC 3986 URI.

Discourse doesn’t handle it properly, no matter what markdown is used.

  • Just paste it, like an HTTP URI, and Discourse completely ignores the fact that it’s a URI, as here: urn:records:test:3.

  • Wrap it in <>, as <urn:records:test:3>, and Discourse flips the last two segments, as here: urn:records:3:test. Right-click-copy, and you’ll get either urn:records or test:3, depending on exactly where your mouse cursor is. Left-click it, and nothing happens, because it’s not quite treated as a URI.

  • Put it in full link markup, i.e., [text over `urn:records:test:3`](urn:records:test:3), and Discourse drops the last segment from the right-click copyable – and again, not-live-clickable – URI, live here in text over urn:records:test:3, where a right-click-copy will get urn:records:test, or as with [`urn:records:test:3`](urn:records:test:3), live here in urn:records:test:3, where a right-click-copy will get urn:records:test or 3, depending on exactly where your mouse cursor is.

I’ve not done exhaustive testing of all valid URI constructs. urn:records:test:3 just happens to be a real-world local example.

2 Likes

Indeed, our allowed_href_schemes site setting only works with schemes that use the scheme:// format.

https://github.com/discourse/discourse/blob/master/app/assets/javascripts/pretty-text/addon/sanitizer.js#L59

2 Likes

I can’t tell whether that’s acknowledging a bug, or saying “yes, that’s the expected behavior”…

Please clarify?

That is indeed a bug. It’s caused by our sanitizer code that only recognizes href schemes that start with the scheme:// format.

3 Likes