isso: html.py: Prevent auto creation of invalid links in comments (#995)

* isso: html.py: Prevent auto creation of invalid links

Fixes #557

CHANGES.rst

@@ -22,10 +22,12 @@ Bugfixes & Improvements
 - Changed website validation to allow domain names containing umlauts (`#951`_, schneidr)
 - Improve Spanish translation (`#967`_, welpo)
 - Make language code handling more robust (`#983`_, ix5)
+- Prevent auto creation of invalid links in comments (`#995`_, pkvach)
 
 .. _#951: https://github.com/posativ/isso/pull/951
 .. _#967: https://github.com/posativ/isso/pull/967
 .. _#983: https://github.com/posativ/isso/pull/983
+.. _#995: https://github.com/isso-comments/isso/pull/995
 
 0.13.1.dev0 (2023-02-05)
 ------------------------

isso/tests/test_html.py

@@ -67,6 +67,8 @@ def test_sanitizer(self):
              ['<a href="http://example.org/" rel="nofollow noopener">Ha</a>',
               '<a rel="nofollow noopener" href="http://example.org/">Ha</a>']),
             ('<a href="sms:+1234567890">Ha</a>', '<a>Ha</a>'),
+            ('ld.so', 'ld.so'),
+            ('/usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so', '/usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so'),
             ('<p style="visibility: hidden;">Test</p>', '<p>Test</p>'),
             ('<script>alert("Onoe")</script>', 'alert("Onoe")')]
 

isso/utils/html.py

@@ -27,6 +27,11 @@ def sanitize(self, text):
         clean_html = bleach.clean(text, tags=self.elements, attributes=self.attributes, strip=True)
 
         def set_links(attrs, new=False):
+            # Linker can misinterpret text as a domain name and create new invalid links.
+            # To prevent this, we only allow existing links to be modified.
+            if new:
+                return None
+
             href_key = (None, u'href')
 
             if href_key not in attrs: