From 818b38b9d0bdbf46558686b324821b558c93e734 Mon Sep 17 00:00:00 2001
From: zhark01 <zhark@umich.edu>
Date: Sat, 5 Dec 2020 15:23:54 -0500
Subject: [PATCH] widgets: Add support for clickable links.

The change was made to support links in polls, as mentioned in
issue #12947. We used markdown renderer to render
the link content, and parsed out any unnecessary p tags.
We changed javascript and hbs files so that they properly
render the content. Tested locally whether the links work,
in addition to checking for XSS vulnerbilities.
Everything tested worked, and no vulnerabilities
discovered. Double check that there are no XSS
issues.

Fixes: #12947
---
 static/templates/widgets/poll_widget_results.hbs | 2 +-
 zerver/lib/actions.py                            | 2 +-
 zerver/lib/widget.py                             | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/static/templates/widgets/poll_widget_results.hbs b/static/templates/widgets/poll_widget_results.hbs
index 062851d8738a5..158e7d8eb72bf 100644
--- a/static/templates/widgets/poll_widget_results.hbs
+++ b/static/templates/widgets/poll_widget_results.hbs
@@ -8,4 +8,4 @@
     <span class="poll-names">({{ names }})</span>
     {{/if}}
 </li>
-{{/each}}
\ No newline at end of file
+{{/each}}
diff --git a/zerver/lib/actions.py b/zerver/lib/actions.py
index fa31acf8bf148..4f73240c8ed30 100644
--- a/zerver/lib/actions.py
+++ b/zerver/lib/actions.py
@@ -1,5 +1,6 @@
 import datetime
 import itertools
+import json
 import logging
 import os
 import time
@@ -37,7 +38,6 @@
 from psycopg2.extras import execute_values
 from psycopg2.sql import SQL
 from typing_extensions import TypedDict
-import json
 
 from analytics.lib.counts import COUNT_STATS, RealmCount, do_increment_logging_stat
 from analytics.models import StreamCount
diff --git a/zerver/lib/widget.py b/zerver/lib/widget.py
index 675b0f76a56fc..e77e72848bbcb 100644
--- a/zerver/lib/widget.py
+++ b/zerver/lib/widget.py
@@ -2,9 +2,9 @@
 import re
 from typing import Any, MutableMapping, Optional, Tuple
 
-from zerver.models import SubMessage
 from zerver.lib.markdown import markdown_convert
-from zerver.models import get_realm
+from zerver.models import SubMessage, get_realm
+
 
 def filter_and_render_string(input: str) -> str:
     # Run through the markdown engine so that links will work