widgets: Add support for clickable links.

The change was made to support links in polls, as mentioned in issue zulip#12947. We used markdown renderer to render the link content, and parsed out any unnecessary p tags. We changed javascript and hbs files so that they properly render the content. Tested locally whether the links work, in addition to checking for XSS vulnerbilities. Everything tested worked, and no vulnerabilities discovered. Double check that there are no XSS issues. Fixes: zulip#12947
zhark01 · Dec 5, 2020 · 818b38b · 818b38b
1 parent 89c6966
commit 818b38b
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/static/templates/widgets/poll_widget_results.hbs b/static/templates/widgets/poll_widget_results.hbs
@@ -8,4 +8,4 @@
     <span class="poll-names">({{ names }})</span>
     {{/if}}
 </li>
-{{/each}}
+{{/each}}
diff --git a/zerver/lib/actions.py b/zerver/lib/actions.py
@@ -1,5 +1,6 @@
 import datetime
 import itertools
+import json
 import logging
 import os
 import time
@@ -37,7 +38,6 @@
 from psycopg2.extras import execute_values
 from psycopg2.sql import SQL
 from typing_extensions import TypedDict
-import json
 
 from analytics.lib.counts import COUNT_STATS, RealmCount, do_increment_logging_stat
 from analytics.models import StreamCount

diff --git a/zerver/lib/widget.py b/zerver/lib/widget.py
@@ -2,9 +2,9 @@
 import re
 from typing import Any, MutableMapping, Optional, Tuple
 
-from zerver.models import SubMessage
 from zerver.lib.markdown import markdown_convert
-from zerver.models import get_realm
+from zerver.models import SubMessage, get_realm
+
 
 def filter_and_render_string(input: str) -> str:
     # Run through the markdown engine so that links will work