markdown: sanitize links

terrastruct · Nov 18, 2024 · d09d27f · d09d27f
1 parent ad62935
commit d09d27f
Show file tree

Hide file tree

Showing 7 changed files with 401 additions and 15 deletions.
diff --git a/ci/release/changelogs/next.md b/ci/release/changelogs/next.md
@@ -9,3 +9,4 @@
 #### Bugfixes ⛑️
 
 - Imports: fixes using substitutions in `icon` values [#2207](https://github.com/terrastruct/d2/pull/2207)
+- Markdown: fixes ampersands in URLs in markdown [#2219](https://github.com/terrastruct/d2/pull/2219)
diff --git a/d2compiler/compile_test.go b/d2compiler/compile_test.go
@@ -935,6 +935,14 @@ b.(x -> y)[0]: two
 				}
 			},
 		},
+		{
+			name: "markdown_ampersand",
+
+			text: `memo: |md
+  <a href="https://www.google.com/search?q=d2&newwindow=1">d2</a>
+|
+`,
+		},
 		{
 			name: "unsemantic_markdown",
 
@@ -943,7 +951,6 @@ foobar
 <p>
 |
 `,
-			expErr: `d2/testdata/d2compiler/TestCompile/unsemantic_markdown.d2:1:1: malformed Markdown: element <p> closed by </div>`,
 		},
 		{
 			name: "unsemantic_markdown_2",
@@ -953,7 +960,6 @@ foo<br>
 bar
 |
 `,
-			expErr: `d2/testdata/d2compiler/TestCompile/unsemantic_markdown_2.d2:1:1: malformed Markdown: element <br> closed by </p>`,
 		},
 		{
 			name: "edge_map",

diff --git a/lib/textmeasure/links.go b/lib/textmeasure/links.go
@@ -0,0 +1,55 @@
+package textmeasure
+
+import (
+	"bytes"
+	"net/url"
+	"strings"
+
+	"golang.org/x/net/html"
+)
+
+func sanitizeLinks(input string) (string, error) {
+	doc, err := html.Parse(strings.NewReader(input))
+	if err != nil {
+		return "", err
+	}
+
+	var process func(*html.Node)
+	process = func(n *html.Node) {
+		if n.Type == html.ElementNode {
+			for i, a := range n.Attr {
+				if a.Key == "href" {
+					if u, err := url.Parse(a.Val); err == nil {
+						if u.RawQuery != "" {
+							q := u.Query()
+							u.RawQuery = q.Encode()
+						}
+						n.Attr[i].Val = u.String()
+					}
+				}
+			}
+		}
+		for c := n.FirstChild; c != nil; c = c.NextSibling {
+			process(c)
+		}
+	}
+	process(doc)
+
+	var buf bytes.Buffer
+	if doc.FirstChild != nil && doc.FirstChild.FirstChild != nil {
+		body := doc.FirstChild.LastChild
+		if body != nil {
+			for c := body.FirstChild; c != nil; c = c.NextSibling {
+				// NOTE: this has the effect of also HTML rendering nodes, which is
+				// robust to some malformed tags like <br>. Since this works in most
+				// HTML contexts anyway, this is not unintended
+				err = html.Render(&buf, c)
+				if err != nil {
+					return "", err
+				}
+			}
+			return buf.String(), nil
+		}
+	}
+	return input, nil
+}
diff --git a/lib/textmeasure/markdown.go b/lib/textmeasure/markdown.go
@@ -83,7 +83,11 @@ func RenderMarkdown(m string) (string, error) {
 	if err := markdownRenderer.Convert([]byte(m), &output); err != nil {
 		return "", err
 	}
-	return output.String(), nil
+	sanitized, err := sanitizeLinks(output.String())
+	if err != nil {
+		return "", err
+	}
+	return sanitized, nil
 }
 
 func init() {

diff --git a/testdata/d2compiler/TestCompile/markdown_ampersand.exp.json b/testdata/d2compiler/TestCompile/markdown_ampersand.exp.json
diff --git a/testdata/d2compiler/TestCompile/unsemantic_markdown.exp.json b/testdata/d2compiler/TestCompile/unsemantic_markdown.exp.json
Original file line number	Diff line number	Diff line change
Expand Up		@@ -9,3 +9,4 @@
		#### Bugfixes ⛑️

		- Imports: fixes using substitutions in `icon` values [#2207](https://github.com/terrastruct/d2/pull/2207)
		- Markdown: fixes ampersands in URLs in markdown [#2219](https://github.com/terrastruct/d2/pull/2219)