'a href' and 'a name' tags don't allow colons

[twile]

When using the html WikiProcessor the href and name tags do not work with colons. You can see the example below.

Link With Colon
Link Without Colon

Colon doesn't work
No Colon does work

System Setup:
Trac: 0.11rc2
Python: 2.5.1 (r251:54863, Mar 7 2008, 04:14:33) [GCC 4.1.3 20070929 (prerelease) (Ubuntu 4.1.2-16ubuntu2)]
setuptools: 0.6c6
SQLite: 3.4.2
pysqlite: 2.3.2
Genshi: 0.5.1
mod_python: 3.3.1
jQuery: 1.2.3

[ebray]

Seems to work for me right here on this site. Can you give an example of the HTML you're trying to use?

[rblank]

Here's the HTML used in the ticket description:

{{{
#!html
<a href="#::Link_with_colon">Link With Colon</a><br>
<a href="#Link_without_colon">Link Without Colon</a><br><br>
<a name="::Link_with_colon">Colon doesn't work</a><br>
<a name="Link_without_colon">No Colon does work</a><br>
}}}

Indeed, the first link does not appear as a link. The generated HTML is:

<a>Link With Colon</a><br />
<a href="#Link_without_colon">Link Without Colon</a><br /><br />
<a name="::Link_with_colon">Colon doesn't work</a><br />
<a name="Link_without_colon">No Colon does work</a><br />

However, contrary to what the ticket description claims, the name= attribute works with colons.

This looks like an HTML sanitization bug.

[rblank]

Yes, it's a bug in Genshi, more specifically in genshi.filters.html.HTMLSanitizer.

The filter checks attributes supposed to contain URIs (like href=) for safe URIs. The check is done in HTMLSanitizer.is_safe_uri(). It is too simplistic, though: it splits the URI at the first ':' and checks the first half against a list of schemes. This is not correct for relative URIs containing a ':'.

Instead, it should first verify that the scheme conforms to RFC-3986, that is:

scheme        = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )

Anyway, this is not a bug in Trac.

[rblank]

The issue has been filed as ​#G274.