Editor-core paste plugin mangles links containing %25

(To be honest I’m here because of a UI bug I experienced in Jira. I filed JST-603374 but didn’t get a very helpful response so tracked it down to the source here…)

If I copy the following URL:

https://www.google.com/search?q=hello%252Fhello (a search for hello%2Fhello)

and paste it into an editor-core instance or a Jira comment, then the link you see pasted is

https://www.google.com/search?q=hello%2Fhello (a search for hello/hello)

Note: The content on the pasteboard must be plain text. If it’s copied from a rich text source, then the bug appears to not happen. (One way to make sure you’ve got plain text is to paste it into your browser’s address bar and then copy it again.)

This transformation is because %25 represents a percent character %, but it’s not safe here. This is not the same URL – the former is a search for hello%2Fhello, the latter, hello/hello. The href itself is still correct but the visible link text is wrong, and if someone then copies that text elsewhere they’ll have copied a different link than the comment author intended. Other special entities like %26 = & already don’t get replaced because they have special meaning in URLs; %25 = % should have the same treatment.

I traced the behavior back to this normalizeLinkText call in the paste plugin: Bitbucket.

The buggy behavior is actually upstream in the normalizeLinkText implementation in the markdown-it project, which I filed an issue for that was just fixed (normalizeLinkText mangles links containing %25 · Issue #720 · markdown-it/markdown-it · GitHub). The fix is in markdown-it@12.0.0.

All this to say – would you be able to upgrade your version of markdown-it to pick up the fix so that my Jira comment box no longer suffers from this? :slight_smile: Let me know if I can provide other helpful info.

Hey @sophiebits-humu, thanks for the detailed bug report. We’ve reached out to the responsible team to investigate.