From da5cf13644f2f8843cfdf3f53681ac685720c5a8 Mon Sep 17 00:00:00 2001
From: Alex Iribarren <Alex.Iribarren@cern.ch>
Date: Mar 11 2021 18:17:36 +0000
Subject: [PATCH 1/4] Show VCS and DistURL tags as links when appropriate


---

diff --git a/tests/test_www/test_util.py b/tests/test_www/test_util.py
index 0ead026..0f7c918 100644
--- a/tests/test_www/test_util.py
+++ b/tests/test_www/test_util.py
@@ -1,6 +1,6 @@
 import unittest
 
-from kojiweb.util import formatMode
+from kojiweb.util import formatMode, formatLink
 
 class TestFormatMode(unittest.TestCase):
     def test_format_mode(self):
@@ -16,3 +16,21 @@ class TestFormatMode(unittest.TestCase):
 
         for s, mode in formats:
             self.assertEqual(formatMode(mode), s)
+
+    def test_format_link(self):
+        formats = (
+            ('test me', 'test me'),
+            ('  test ', 'test'),
+            ('<script>hack</script>', '&lt;script&gt;hack&lt;/script&gt;'),
+            ('not://valid', 'not://valid'),
+            ('https://foo.com', '<a href="https://foo.com">https://foo.com</a>'),
+            ('http://bar.com/', '<a href="http://bar.com/">http://bar.com/</a>'),
+            ('HTtP://BaR.CoM/', '<a href="HTtP://BaR.CoM/">HTtP://BaR.CoM/</a>'),
+            ('https://baz.com/baz&t=1', '<a href="https://baz.com/baz&amp;t=1">https://baz.com/baz&amp;t=1</a>'),
+            ('ssh://git@pagure.io/foo', '<a href="ssh://git@pagure.io/foo">ssh://git@pagure.io/foo</a>'),
+            ('git://git@pagure.io/foo', '<a href="git://git@pagure.io/foo">git://git@pagure.io/foo</a>'),
+            ('obs://build.opensuse.org/foo', '<a href="obs://build.opensuse.org/foo">obs://build.opensuse.org/foo</a>'),
+        )
+
+        for input, output in formats:
+            self.assertEqual(formatLink(input), output)
diff --git a/www/kojiweb/buildinfo.chtml b/www/kojiweb/buildinfo.chtml
index 1198e07..c164c07 100644
--- a/www/kojiweb/buildinfo.chtml
+++ b/www/kojiweb/buildinfo.chtml
@@ -52,12 +52,12 @@
     #end if
     #if $vcs
     <tr>
-        <th><label title="Package source code VCS location">VCS</label></th><td>$util.escapeHTML($vcs)</td>
+        <th><label title="Package source code VCS location">VCS</label></th><td>$util.formatLink($vcs)</td>
     </tr>
     #end if
     #if $disturl
     <tr>
-        <th>DistURL</th><td>$util.escapeHTML($disturl)</td>
+        <th>DistURL</th><td>$util.formatLink($disturl)</td>
     </tr>
     #end if
     <tr>
diff --git a/www/kojiweb/rpminfo.chtml b/www/kojiweb/rpminfo.chtml
index fe2c714..f2313f3 100644
--- a/www/kojiweb/rpminfo.chtml
+++ b/www/kojiweb/rpminfo.chtml
@@ -70,12 +70,12 @@
     </tr>
     #if $vcs
     <tr>
-        <th><label title="Package source code VCS location">VCS</label></th><td>$util.escapeHTML($vcs)</td>
+        <th><label title="Package source code VCS location">VCS</label></th><td>$util.formatLink($vcs)</td>
     </tr>
     #end if
     #if $disturl
     <tr>
-        <th>DistURL</th><td>$util.escapeHTML($disturl)</td>
+        <th>DistURL</th><td>$util.formatLink($disturl)</td>
     </tr>
     #end if
     #end if
diff --git a/www/lib/kojiweb/util.py b/www/lib/kojiweb/util.py
index 301fd92..1dc2a56 100644
--- a/www/lib/kojiweb/util.py
+++ b/www/lib/kojiweb/util.py
@@ -534,6 +534,16 @@ def formatThousands(value):
     return '{:,}'.format(value)
 
 
+def formatLink(url):
+    """Turn a string into an HTML link if it looks vaguely like a URL.
+    If it doesn't, just return it properly escaped."""
+    url = escapeHTML(url.strip())
+    m = re.match(r'(https?|ssh|git|obs)://.*', url, flags=re.IGNORECASE)
+    if m:
+        return '<a href="{}">{}</a>'.format(url, url)
+
+    return url
+
 def rowToggle(template):
     """If the value of template._rowNum is even, return 'row-even';
     if it is odd, return 'row-odd'.  Increment the value before checking it.

From c12cdcfb54385a567d6bb8b41006b4a6f6aa8374 Mon Sep 17 00:00:00 2001
From: Alex Iribarren <Alex.Iribarren@cern.ch>
Date: Mar 12 2021 12:30:00 +0000
Subject: [PATCH 2/4] Escape single and double quotes as well, plus add test


---

diff --git a/tests/test_www/test_util.py b/tests/test_www/test_util.py
index 0f7c918..0c8e019 100644
--- a/tests/test_www/test_util.py
+++ b/tests/test_www/test_util.py
@@ -1,6 +1,6 @@
 import unittest
 
-from kojiweb.util import formatMode, formatLink
+from kojiweb.util import formatMode, formatLink, escapeHTML
 
 class TestFormatMode(unittest.TestCase):
     def test_format_mode(self):
@@ -34,3 +34,14 @@ class TestFormatMode(unittest.TestCase):
 
         for input, output in formats:
             self.assertEqual(formatLink(input), output)
+
+    def test_escape_html(self):
+        tests = (
+            ('test me', 'test me'),
+            ('test <danger>', 'test &lt;danger&gt;'),
+            ('test <danger="true">', 'test &lt;danger=&quot;true&quot;&gt;'),
+            ("test <danger='true'>", 'test &lt;danger=&#x27;true&#x27;&gt;'),
+        )
+
+        for input, output in tests:
+            self.assertEqual(escapeHTML(input), output)
diff --git a/www/lib/kojiweb/util.py b/www/lib/kojiweb/util.py
index 1dc2a56..8091f6f 100644
--- a/www/lib/kojiweb/util.py
+++ b/www/lib/kojiweb/util.py
@@ -604,6 +604,8 @@ def escapeHTML(value):
     < : &lt;
     > : &gt;
     & : &amp;
+    " : &quot;
+    ' : &#x27;
     """
     if not value:
         return value
@@ -611,7 +613,9 @@ def escapeHTML(value):
     value = koji.fixEncoding(value)
     return value.replace('&', '&amp;').\
         replace('<', '&lt;').\
-        replace('>', '&gt;')
+        replace('>', '&gt;').\
+        replace('"', '&quot;').\
+        replace("'", '&#x27;')
 
 
 def authToken(template, first=False, form=False):

From 5e95e701c99ae293922d3a80aeea9f0f45420b6b Mon Sep 17 00:00:00 2001
From: Alex Iribarren <Alex.Iribarren@cern.ch>
Date: Mar 12 2021 18:06:12 +0000
Subject: [PATCH 3/4] Don't encode already encoded entities


---

diff --git a/tests/test_www/test_util.py b/tests/test_www/test_util.py
index 0c8e019..b6b9c57 100644
--- a/tests/test_www/test_util.py
+++ b/tests/test_www/test_util.py
@@ -41,6 +41,8 @@ class TestFormatMode(unittest.TestCase):
             ('test <danger>', 'test &lt;danger&gt;'),
             ('test <danger="true">', 'test &lt;danger=&quot;true&quot;&gt;'),
             ("test <danger='true'>", 'test &lt;danger=&#x27;true&#x27;&gt;'),
+            ('test&test', 'test&amp;test'),
+            ('test&amp;test', 'test&amp;test'),
         )
 
         for input, output in tests:
diff --git a/www/lib/kojiweb/util.py b/www/lib/kojiweb/util.py
index 8091f6f..abd161d 100644
--- a/www/lib/kojiweb/util.py
+++ b/www/lib/kojiweb/util.py
@@ -117,12 +117,7 @@ class DecodeUTF8(Cheetah.Filters.Filter):
 class XHTMLFilter(DecodeUTF8):
     def filter(self, *args, **kw):
         result = super(XHTMLFilter, self).filter(*args, **kw)
-        result = result.replace('&', '&amp;')
-        result = result.replace('&amp;amp;', '&amp;')
-        result = result.replace('&amp;nbsp;', '&nbsp;')
-        result = result.replace('&amp;lt;', '&lt;')
-        result = result.replace('&amp;gt;', '&gt;')
-        return result
+        return re.sub(r'&(?![a-zA-Z0-9#]+;)', '&amp;', result)
 
 
 TEMPLATES = {}
@@ -611,7 +606,7 @@ def escapeHTML(value):
         return value
 
     value = koji.fixEncoding(value)
-    return value.replace('&', '&amp;').\
+    return re.sub(r'&(?![a-zA-Z0-9#]+;)', '&amp;', value).\
         replace('<', '&lt;').\
         replace('>', '&gt;').\
         replace('"', '&quot;').\

From 3a59389f7cb90761912d585600a34a7a6ad2914e Mon Sep 17 00:00:00 2001
From: Alex Iribarren <Alex.Iribarren@cern.ch>
Date: Mar 15 2021 13:39:38 +0000
Subject: [PATCH 4/4] Make flake8 happy


---

diff --git a/www/lib/kojiweb/util.py b/www/lib/kojiweb/util.py
index abd161d..a49c639 100644
--- a/www/lib/kojiweb/util.py
+++ b/www/lib/kojiweb/util.py
@@ -539,6 +539,7 @@ def formatLink(url):
 
     return url
 
+
 def rowToggle(template):
     """If the value of template._rowNum is even, return 'row-even';
     if it is odd, return 'row-odd'.  Increment the value before checking it.