commit 1230c4c1df4afb83f0c6911e1c8c77cbd817e5c4
parent 6594b2590d9b9c8ba7653b69bba4a73a87b13f31
Author: n0tr1v <n0tr1v@protonmail.com>
Date: Thu, 6 Apr 2023 17:13:02 -0700
fix invalid html issues
Diffstat:
5 files changed, 24 insertions(+), 8 deletions(-)
diff --git a/pkg/web/handlers/api/v1/bangInterceptor.go b/pkg/web/handlers/api/v1/bangInterceptor.go
@@ -20,7 +20,7 @@ Chats:
Black Hat Chat: ` + config.BhcOnion + `
Forums:
CryptBB: ` + config.CryptbbOnion
- msg, _ := ProcessRawMessage(cmd.db, message, "", cmd.authUser.ID, cmd.room.ID, nil)
+ msg, _, _ := ProcessRawMessage(cmd.db, message, "", cmd.authUser.ID, cmd.room.ID, nil)
cmd.zeroMsg(msg)
cmd.err = ErrRedirect
}
diff --git a/pkg/web/handlers/api/v1/msgInterceptor.go b/pkg/web/handlers/api/v1/msgInterceptor.go
@@ -5,8 +5,10 @@ import (
"dkforest/pkg/database"
"dkforest/pkg/managers"
"dkforest/pkg/utils"
+ "encoding/xml"
"errors"
"fmt"
+ "github.com/sirupsen/logrus"
html2 "html"
"strings"
"time"
@@ -24,7 +26,12 @@ func (i MsgInterceptor) InterceptMsg(cmd *Command) {
return
}
- html, taggedUsersIDsMap := ProcessRawMessage(cmd.db, cmd.message, cmd.roomKey, cmd.authUser.ID, cmd.room.ID, cmd.upload)
+ html, taggedUsersIDsMap, err := ProcessRawMessage(cmd.db, cmd.message, cmd.roomKey, cmd.authUser.ID, cmd.room.ID, cmd.upload)
+ if err != nil {
+ cmd.dataMessage = cmd.origMessage
+ cmd.err = err
+ return
+ }
if len(strings.TrimSpace(html)) <= len("<p></p>") {
cmd.dataMessage = cmd.origMessage
@@ -69,9 +76,14 @@ func generalRoomKarma(db *database.DkfDB, authUser *database.User) {
}
}
+func IsValidXML(data string) bool {
+ return xml.Unmarshal([]byte(data), new(interface{})) == nil
+}
+
// ProcessRawMessage return the new html, and a map of tagged users used for notifications
// This function takes an "unsafe" user input "in", and return html which will be safe to render.
-func ProcessRawMessage(db *database.DkfDB, in, roomKey string, authUserID database.UserID, roomID database.RoomID, upload *database.Upload) (string, map[database.UserID]database.User) {
+func ProcessRawMessage(db *database.DkfDB, in, roomKey string, authUserID database.UserID, roomID database.RoomID,
+ upload *database.Upload) (string, map[database.UserID]database.User, error) {
html, quoted := convertQuote(db, in, roomKey, roomID) // Get raw quote text which is not safe to render
html = html2.EscapeString(html) // Makes user input safe to render
// All html generated from this point on shall be safe to render.
@@ -93,7 +105,11 @@ func ProcessRawMessage(db *database.DkfDB, in, roomKey string, authUserID databa
if quoted != nil { // Add quoted message owner for inboxes
taggedUsersIDsMap[quoted.UserID] = quoted.User
}
- return html, taggedUsersIDsMap
+ if !IsValidXML(html) {
+ logrus.Error("invalid html produced by: " + in)
+ return "", nil, errors.New("input produce invalid html, please notify the staff")
+ }
+ return html, taggedUsersIDsMap, nil
}
func sendInboxes(db *database.DkfDB, room database.ChatRoom, authUser, toUser *database.User, msgID int64, groupID *database.GroupID, html string, modMsg bool,
diff --git a/pkg/web/handlers/api/v1/slashInterceptor.go b/pkg/web/handlers/api/v1/slashInterceptor.go
@@ -1236,7 +1236,7 @@ func handleInboxCmd(c *Command) (handled bool) {
html = strings.Join(strings.Split(html, "\n"), " ")
}
- html, _ = ProcessRawMessage(c.db, html, c.roomKey, c.authUser.ID, c.room.ID, nil)
+ html, _, _ = ProcessRawMessage(c.db, html, c.roomKey, c.authUser.ID, c.room.ID, nil)
c.db.CreateInboxMessage(html, c.room.ID, c.authUser.ID, toUser.ID, true, false, nil)
c.dataMessage = "/inbox " + username + " "
diff --git a/pkg/web/handlers/api/v1/topBarHandler.go b/pkg/web/handlers/api/v1/topBarHandler.go
@@ -448,13 +448,13 @@ func (c *Command) zeroProcMsg(rawMsg string) {
func (c *Command) zeroProcMsgRoom(rawMsg, roomKey string, roomID database.RoomID) {
zeroUser := c.getZeroUser()
- procMsg, _ := ProcessRawMessage(c.db, rawMsg, roomKey, c.authUser.ID, roomID, nil)
+ procMsg, _, _ := ProcessRawMessage(c.db, rawMsg, roomKey, c.authUser.ID, roomID, nil)
rawMsgRoom(c.db, zeroUser, c.authUser, rawMsg, procMsg, roomKey, roomID)
}
func (c *Command) zeroPublicProcMsgRoom(rawMsg, roomKey string, roomID database.RoomID) {
zeroUser := c.getZeroUser()
- procMsg, _ := ProcessRawMessage(c.db, rawMsg, roomKey, c.authUser.ID, roomID, nil)
+ procMsg, _, _ := ProcessRawMessage(c.db, rawMsg, roomKey, c.authUser.ID, roomID, nil)
rawMsgRoom(c.db, zeroUser, nil, rawMsg, procMsg, roomKey, roomID)
}
diff --git a/pkg/web/handlers/api/v1/werewolf.go b/pkg/web/handlers/api/v1/werewolf.go
@@ -329,7 +329,7 @@ func (b *Werewolf) isValidPlayerName(name string) bool {
// Narrate register a chat message on behalf of the narrator user
func (b *Werewolf) Narrate(msg string, toUserID *database.UserID, groupID *database.GroupID) {
- html, _ := ProcessRawMessage(b.db, msg, "", b.narratorID, b.roomID, nil)
+ html, _, _ := ProcessRawMessage(b.db, msg, "", b.narratorID, b.roomID, nil)
b.NarrateRaw(html, toUserID, groupID)
}
