From c54b89f1430c7f2b3d44be46e0f3390f0c64cf7a Mon Sep 17 00:00:00 2001
From: noobpk <ltp.noobpk@gmail.com>
Date: Fri, 19 Nov 2021 13:00:03 +0700
Subject: [PATCH] Add URL schemes that are allowed within links Fix bug Stored
 XSS via markdown Disclosure:
 https://huntr.dev/bounties/be7f211d-4bfd-44fd-91e8-682329906fbd/

---
 helpdesk/models.py   | 4 ++++
 helpdesk/settings.py | 5 ++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/helpdesk/models.py b/helpdesk/models.py
index 7f18cf20..a2d7f901 100644
--- a/helpdesk/models.py
+++ b/helpdesk/models.py
@@ -56,6 +56,10 @@ def get_markdown(text):
     if not text:
         return ""
 
+    schemes = '|'.join(helpdesk_settings.ALLOWED_URL_SCHEMES)
+    pattern = fr'\[(.+)\]\((?!({schemes})).*:(.+)\)'
+    text = re.sub(pattern, '[\\1](\\3)', text, flags=re.IGNORECASE)
+
     return mark_safe(
         markdown(
             text,
diff --git a/helpdesk/settings.py b/helpdesk/settings.py
index 6437502e..c68cc4b9 100644
--- a/helpdesk/settings.py
+++ b/helpdesk/settings.py
@@ -76,7 +76,10 @@ HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE = getattr(settings,
                                                      'HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE',
                                                      False)
 
-
+# URL schemes that are allowed within links
+ALLOWED_URL_SCHEMES = getattr(settings, 'ALLOWED_URL_SCHEMES', (
+     'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
+))
 ############################
 # options for public pages #
 ############################