Bug(s) in Discourse handing of URIs in markdown content

urn:records:test:3 is a valid RFC 3986 URI.

Discourse doesn’t handle it properly, no matter what markdown is used.

  • Just paste it, like an HTTP URI, and Discourse completely ignores the fact that it’s a URI, as here: urn:records:test:3.

  • Wrap it in <>, as <urn:records:test:3>, and Discourse flips the last two segments, as here: urn:records:3:test. Right-click-copy, and you’ll get either urn:records or test:3, depending on exactly where your mouse cursor is. Left-click it, and nothing happens, because it’s not quite treated as a URI.

  • Put it in full link markup, i.e., [text over `urn:records:test:3`](urn:records:test:3), and Discourse drops the last segment from the right-click copyable – and again, not-live-clickable – URI, live here in text over urn:records:test:3, where a right-click-copy will get urn:records:test, or as with [`urn:records:test:3`](urn:records:test:3), live here in urn:records:test:3, where a right-click-copy will get urn:records:test or 3, depending on exactly where your mouse cursor is.

I’ve not done exhaustive testing of all valid URI constructs. urn:records:test:3 just happens to be a real-world local example.

3 Likes

Indeed, our allowed_href_schemes site setting only works with schemes that use the scheme:// format.

https://github.com/discourse/discourse/blob/master/app/assets/javascripts/pretty-text/addon/sanitizer.js#L59

4 Likes

I can’t tell whether that’s acknowledging a bug, or saying “yes, that’s the expected behavior”…

Please clarify?

1 Like

That is indeed a bug. It’s caused by our sanitizer code that only recognizes href schemes that start with the scheme:// format.

5 Likes

I’ve just run into this bug with geo URI, which look like geo:36.95733984,-122.0172856.

I see there is an exception for tel URI:

    if (allowedHrefSchemes.includes("tel")) {
      extraHrefMatchers.push(new RegExp("^tel://\\+?[\\w\\.\\-]+", "i"));

There is Uniform Resource Identifier (URI) Schemes, but I used List of URI schemes - Wikipedia to check the schemes as they include examples. I’m look at the, um, scheme-name “suffix”, the :// (what is that called? “Scheme format”?).

From careful eyeballing, it seems there are only three patterns used:

  • ://
  • :/
  • :

My brain is having difficulty tracking where this is happening in relation to writing markdown and converting to href, but I think we if can figure out how to check for those three formats, we should be good for any scheme added by the admin.

No idea on how to validate per scheme… :thinking:


My unofficial code names for the formats:

  • : “observing”
  • :/ “skeptical”
  • :// - “double skeptical”
1 Like

Copying and pasting the following into Discourse:

For secure messaging and calls connect with me over Snikket/XMPP at xmpp:maiki@chat.v2.talkgroup.xyz.

Produces (with xmpp added to allowed href schemes):

For secure messaging and calls connect with me over Snikket/XMPP at <a href="mailto:xmpp:maiki@chat.v2.talkgroup.xyz" dir="ltr">xmpp:maiki@chat.v2.talkgroup.xyz</a>.

The href="mailto:xmpp:maiki@chat.v2.talkgroup.xyz" is the issue in this case. Noting as a use case for this bug. :slight_smile:

2 Likes

Can this somehow an workaround for GEO URI’s? Am not a dev.