Add URL schemes that are allowed within links

Fix bug Stored XSS via markdown
Disclosure: https://huntr.dev/bounties/be7f211d-4bfd-44fd-91e8-682329906fbd/

helpdesk/models.py

@@ -56,6 +56,10 @@ def get_markdown(text):
     if not text:
         return ""
 
+    schemes = '|'.join(helpdesk_settings.ALLOWED_URL_SCHEMES)
+    pattern = fr'\[(.+)\]\((?!({schemes})).*:(.+)\)'
+    text = re.sub(pattern, '[\\1](\\3)', text, flags=re.IGNORECASE)
+
     return mark_safe(
         markdown(
             text,

helpdesk/settings.py

@@ -76,7 +76,10 @@ HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE = getattr(settings,
                                                      'HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE',
                                                      False)
 
-
+# URL schemes that are allowed within links
+ALLOWED_URL_SCHEMES = getattr(settings, 'ALLOWED_URL_SCHEMES', (
+     'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
+))
 ############################
 # options for public pages #
 ############################