Skip linkify escaped username reference

Closes tildes-community/tildes-cf#12 See merge request tildes-community/tildes-cf!10
4 weeks ago · b0c4eab162
2 changed files with 46 additions and 5 deletions
--- a/tildes/tests/test_markdown.py
+++ b/tildes/tests/test_markdown.py
@ -411,6 +411,16 @@ def test_username_reference_linkified():
    assert soup.find("a", href="/user/SomeUser")


+def test_escaped_username_reference_not_linkified():
+    """Ensure we don't linkify an escaped username reference."""
+    markdown = "Hey \@SomeUser, what do you think of this?"
+    processed = convert_markdown_to_safe_html(markdown)
+
+    soup = BeautifulSoup(processed, features="html5lib")
+    assert len(soup.find_all("a")) == 0
+    assert "@SomeUser" in processed
+
+
 def test_u_style_username_ref_linked():
    """Ensure a /u/username reference gets linkified."""
    markdown = "Hey /u/SomeUser, what do you think of this?"
--- a/tildes/tildes/lib/markdown.py
+++ b/tildes/tildes/lib/markdown.py
@ -6,6 +6,7 @@
 import re
 from collections.abc import Callable, Iterator
 from functools import partial
+from random import randint
 from typing import Any, Optional, Union

 import bleach
@ -129,7 +130,7 @@ def convert_markdown_to_safe_html(
 ) -> str:
    """Convert markdown to sanitized HTML."""
    # apply custom pre-processing to markdown
-    markdown = preprocess_markdown(markdown)
+    markdown, replacements = preprocess_markdown(markdown)

    markdown_bytes = markdown.encode("utf8")

@ -152,11 +153,14 @@ def convert_markdown_to_safe_html(
    # apply custom post-processing to HTML
    html = postprocess_markdown_html(html)

-    # add linkification and sanitize the final HTML before returning it
-    return linkify_and_sanitize_html(html, context)
+    # add linkification and sanitize the HTML
+    html = linkify_and_sanitize_html(html, context)

+    # finally restore any escaped substrings before returning HTML
+    return restore_replacements(html, replacements)

-def preprocess_markdown(markdown: str) -> str:
+
+def preprocess_markdown(markdown: str) -> tuple[str, dict[str, str]]:
    """Pre-process markdown before passing it to CommonMark."""
    markdown = escape_accidental_ordered_lists(markdown)

@ -165,7 +169,27 @@ def preprocess_markdown(markdown: str) -> str:
    # fix the "shrug" emoji ¯\_(ツ)_/¯ to prevent markdown mangling it
    markdown = markdown.replace(r"¯\_(ツ)_/¯", r"¯\\\_(ツ)\_/¯")

-    return markdown
+    # temporary replacements to restore after markdown processing
+    replacements = {}
+    if r"\@" in markdown:
+        # cmark rendering removes `\` before any punctuation,
+        # so `\@` becomes `@` and unexpectedly linkifies during the
+        # later linkify step.
+        # prevent that by using a replacement during cmark rendering.
+        replacements[r"\@"] = random_replacement_string(markdown)
+        markdown = markdown.replace(r"\@", replacements[r"\@"])
+
+    return (markdown, replacements)
+
+
+def random_replacement_string(markdown: str) -> str:
+    """Pick a random replacement string not present in input markdown."""
+    some_int = randint(1000000, 99999999999)
+    some_int_str = str(some_int)
+    if some_int_str in markdown:
+        return random_replacement_string(markdown)
+    else:
+        return some_int_str


 def merge_subsequent_blockquotes(markdown: str) -> str:
@ -216,6 +240,13 @@ def postprocess_markdown_html(html: str) -> str:
    return html


+def restore_replacements(html: str, preprocessed_replacements: dict[str, str]) -> str:
+    """Restore replacement strings to sanitized and linkified HTML."""
+    if r"\@" in preprocessed_replacements:
+        html = html.replace(preprocessed_replacements[r"\@"], "@")
+    return html
+
+
 class CodeHtmlFormatter(HtmlFormatter):
    """Custom Pygments HtmlFormatter to use a <code> tag.