get_markdown incorrectly renders text that contains both hyperlinks and parentheses

[mattbuff-nynhp]

If the following sentence is entered into a ticket, it does not render correctly in the ticket.html template:

Here is some example text containing (parentheses) before a link also surrounded by parentheses (https://github.com/).

It renders as:

Here is some example text containing (//github.com/).

The missing text in bold:

Here is some example text containing (parentheses) before a link also surrounded by parentheses (https://github.com/).

I've narrowed down the bug to the regex and text replacement in get_markdown(). The text renders correctly when the replacement code (lines 58-67) is commented out.

django-helpdesk/helpdesk/models.py

Lines 52 to 77 in 67eb097

	def get_markdown(text):
	if not text:
	return ""
	pattern = r'([\[\s\S\]]*?)\(([\s\S]*?):([\s\S]*?)\)'
	# Regex check
	if re.match(pattern, text):
	# get get value of group regex
	scheme = re.search(pattern, text, re.IGNORECASE).group(2)
	# scheme check
	if scheme in helpdesk_settings.ALLOWED_URL_SCHEMES:
	replacement = '\\1(\\2:\\3)'
	else:
	replacement = '\\1(\\3)'
	text = re.sub(pattern, replacement, text, flags=re.IGNORECASE)
	return mark_safe(
	markdown(
	text,
	extensions=[
	EscapeHtml(), 'markdown.extensions.nl2br',
	'markdown.extensions.fenced_code'
	]
	)
	)

[uhurusurfa]

The regex and associated code was introduced by this PR:
#985

It looks like it was designed to prevent javascript injection.

@gwasser - can you provide insight?

[gwasser]

Basically yes, preventing javascript injection as a security issue. The regex could probably be extended to handle parentheses correctly.

[uhurusurfa]

Ok - I will work on a fix with some unit tests.