commit dc893960ab720f0960df53fccb8a9f48af69c707
parent f1567981036f9238d6c7d4ca7b15442642095787
Author: n0tr1v <n0tr1v@protonmail.com>
Date: Sun, 9 Apr 2023 03:16:35 -0700
use bluemonday to sanitize html
Diffstat:
2 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/pkg/web/handlers/api/v1/msgInterceptor.go b/pkg/web/handlers/api/v1/msgInterceptor.go
@@ -5,10 +5,9 @@ import (
"dkforest/pkg/database"
"dkforest/pkg/managers"
"dkforest/pkg/utils"
- "encoding/xml"
"errors"
"fmt"
- "github.com/sirupsen/logrus"
+ "github.com/microcosm-cc/bluemonday"
html2 "html"
"strings"
"time"
@@ -76,10 +75,6 @@ func generalRoomKarma(db *database.DkfDB, authUser *database.User) {
}
}
-func IsValidXML(data string) bool {
- return xml.Unmarshal([]byte(data), new(interface{})) == nil
-}
-
// ProcessRawMessage return the new html, and a map of tagged users used for notifications
// This function takes an "unsafe" user input "in", and return html which will be safe to render.
func ProcessRawMessage(db *database.DkfDB, in, roomKey string, authUserID database.UserID, roomID database.RoomID,
@@ -105,10 +100,12 @@ func ProcessRawMessage(db *database.DkfDB, in, roomKey string, authUserID databa
if quoted != nil { // Add quoted message owner for inboxes
taggedUsersIDsMap[quoted.UserID] = quoted.User
}
- if !IsValidXML(html) {
- logrus.Error("invalid html produced by: " + in)
- return "", nil, errors.New("input produce invalid html, please notify the staff")
- }
+ p := bluemonday.NewPolicy()
+ p.AllowElements("a", "p", "span", "strong", "del", "code", "pre", "em", "ul", "li", "br")
+ p.AllowAttrs("href", "rel", "target").OnElements("a")
+ p.AllowAttrs("tabindex", "style").OnElements("pre")
+ p.AllowAttrs("style", "class", "title").OnElements("span")
+ html = p.Sanitize(html)
return html, taggedUsersIDsMap, nil
}
diff --git a/pkg/web/handlers/api/v1/topBarHandler.go b/pkg/web/handlers/api/v1/topBarHandler.go
@@ -814,6 +814,7 @@ func splitQuote(in string) (string, string) {
}
func convertLinks(in string, getUserByUsername func(string) (database.User, error)) string {
+ fmt.Println("??????", in)
quote, rest := splitQuote(in)
libredditURLs := []string{
@@ -852,6 +853,7 @@ func convertLinks(in string, getUserByUsername func(string) (database.User, erro
}
newRest := linkOrProfileRgx.ReplaceAllStringFunc(rest, func(link string) string {
+ fmt.Println("???", link)
// Convert all occurrences of "/u/username" to a link to user profile page if the user exists
if userProfileLinkRgx.MatchString(link) {
