Prevent formatting links as markdown links

[ekzyis]

Currently, users can create open redirects to potentially malicious links.

For example I can write https://stacker.news/items/194732 which actually redirects to https://stacker.news/items/194731
(interestingly, this also works in Github).

At first, I thought a open redirect warning would be enough but since we use a lot of links to external sites on SN, I think this would be detrimental to UX.

So I think the better solution is to check if the thing inside [] is already a link and then prevent using the markdown link syntax ([]())

edit: Or only use open redirects for this case if possible. For example, by replacing the URL to a page like https://stacker.news/redirect?url=<external_url>

---

Reference: https://stacker.news/items/194732

[nix2intel]

Hey i'm about to for the repo and start working on this @huumn or another dev, could you point me in the right direction of the flow and the files I'll need to touch? I can stumble through it, but with a bit of guidance I could probably get it wrapped up pretty quickly. Just getting my sea legs in your software :D

[ekzyis]

For this ticket, I would guess that the following files are important:

• components/text.js since that's where our Markdown input is defined (it uses react-markdown)
• lib/md.js implements some markdown helper stuff
• api/resolvers/item.js for backend stuff. The Graphql mutations for posting and commenting are implemented here

Hope this helps, if not, let us know :)

I also see the solution was left open in this ticket. Personally, I think a "you're leaving SN" warning would be the way to go for masked external links. So not for every external link (to not make it annoying), but just for ones which use a different URL and thus it makes sense to warn users.