From 9983ef2794a1ad8d0c49a253d1e01dae263ec8b7 Mon Sep 17 00:00:00 2001
From: David <59258980+zerodytrash@users.noreply.github.com>
Date: Tue, 8 Mar 2022 22:03:37 +0100
Subject: [PATCH] [fix] improve custom emoji validation (#1772)

---
 core/chat/events/events.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/core/chat/events/events.go b/core/chat/events/events.go
index ad28c73df..7d5cb14d8 100644
--- a/core/chat/events/events.go
+++ b/core/chat/events/events.go
@@ -125,8 +125,9 @@ func RenderMarkdown(raw string) string {
 }
 
 var (
-	_sanitizeReSrcMatch      = regexp.MustCompile(`(?i)^/img/emoji`)
+	_sanitizeReSrcMatch      = regexp.MustCompile(`(?i)^/img/emoji/[^\.%]*.[A-Z]*$`)
 	_sanitizeReAltTitleMatch = regexp.MustCompile(`:\S+:`)
+	_sanitizeReClassMatch    = regexp.MustCompile(`(?i)^(emoji)[A-Z_]*?$`)
 )
 
 func sanitize(raw string) string {
@@ -153,7 +154,7 @@ func sanitize(raw string) string {
 	// Allow img tags from the the local emoji directory only
 	p.AllowAttrs("src").Matching(_sanitizeReSrcMatch).OnElements("img")
 	p.AllowAttrs("alt", "title").Matching(_sanitizeReAltTitleMatch).OnElements("img")
-	p.AllowAttrs("class").OnElements("img")
+	p.AllowAttrs("class").Matching(_sanitizeReClassMatch).OnElements("img")
 
 	// Allow bold
 	p.AllowElements("strong")