fix: remove empty anchor tags from GHSA vulnerability details

Fixes issue where empty anchor tags like <a name="executive-summary"></a>
were appearing in GHSA vulnerability details fields. These anchor tags
are used for navigation in the original GHSA advisories but create empty
links when displayed in OSV records. This affects 51 GHSA records,
including NuGet packages.

The fix is implemented at two layers for defense in depth:

1. Data layer (osv/sources.py):
   - Add _sanitize_anchor_tags() function to remove empty anchor tags
     with name attributes using regex pattern matching
   - Apply sanitization in parse_vulnerability_from_dict() to clean
     the details field during vulnerability parsing
   - Ensures anchor tags are removed when GHSA JSON files are imported

2. Display layer (gcp/website/frontend_handlers.py):
   - Add _ANCHOR_TAG_REPLACER regex pattern for anchor tag removal
   - Apply sanitization in markdown() template filter during rendering
   - Provides fallback protection if any anchor tags slip through

3. Emulator update (gcp/website/frontend_emulator.py):
   - Update to use parse_vulnerability_from_dict() instead of direct
     json_format.ParseDict() to ensure sanitization is applied during
     local testing

Testing:
- Verified fix removes all 7 anchor tags from GHSA-hh2w-p6rv-4g7w test case
- Tested with various anchor tag formats (empty, self-closing, with attributes)
- Confirmed regular links and anchor tags with content are preserved
- Local testing performed using direct function tests and file parsing
  (gcloud emulator setup unavailable due to permission issues with
  ~/.config/gcloud directory ownership)

Signed-off-by: Vasu <[email protected]>

Author: Vasuk12

gcp/website/frontend_emulator.py

@@ -90,9 +90,9 @@ def _dict_to_vuln(data: object,
         if not vuln_id:
           return None
 
-        vulnerability = vulnerability_pb2.Vulnerability()
         try:
-          json_format.ParseDict(data, vulnerability, ignore_unknown_fields=True)
+          vulnerability = sources.parse_vulnerability_from_dict(
+              data, strict=False)
         except Exception as error:
           print(f'[emulator] Failed to convert entry in {path}: {error}')
           return None

gcp/website/frontend_handlers.py

@@ -834,6 +834,9 @@ def sort_versions(versions: list[str], ecosystem: str) -> list[str]:
 # with
 # <a href="https://chromium.googlesource.com/v8/v8.git/+/refs/heads/beta">
 _URL_MARKDOWN_REPLACER = re.compile(r'(<a href=\".*?)(/ /)(.*?\">)')
+_ANCHOR_TAG_REPLACER = re.compile(
+    r'<a\s+[^>]*name=["\'][^"\']*["\'][^>]*>\s*</a>|<a\s+[^>]*name=["\'][^"\']*["\'][^>]*/>',
+    re.IGNORECASE)
 
 
 @blueprint.app_template_filter('markdown')
@@ -852,6 +855,7 @@ def markdown(text):
     # space rather than %2B
     # See: https://github.com/trentm/python-markdown2/issues/621
     md = _URL_MARKDOWN_REPLACER.sub(r'\1/+/\3', md)
+    md = _ANCHOR_TAG_REPLACER.sub('', md)
 
     return md
 

osv/sources.py

@@ -17,6 +17,7 @@
 import hashlib
 import logging
 import os
+import re
 
 import jsonschema
 import pygit2
@@ -162,9 +163,21 @@ def _get_nested_vulnerability(data, key_path=None):
   return data
 
 
+def _sanitize_anchor_tags(text):
+  if not text or not isinstance(text, str):
+    return text
+  pattern = r'<a\s+[^>]*name=["\'][^"\']*["\'][^>]*>\s*</a>|<a\s+[^>]*name=["\'][^"\']*["\'][^>]*/>'
+  return re.sub(pattern, '', text, flags=re.IGNORECASE)
+
+
 def parse_vulnerability_from_dict(data, key_path=None, strict=False):
   """Parse vulnerability from dict."""
   data = _get_nested_vulnerability(data, key_path)
+
+  # Sanitize anchor tags from details field if present
+  if isinstance(data, dict) and 'details' in data and data['details']:
+    data['details'] = _sanitize_anchor_tags(data['details'])
+
   try:
     jsonschema.validate(data, load_schema())
   except jsonschema.exceptions.ValidationError as e: