From a8e93de1346876082adc4c8b5885bc7ce9238aa8 Mon Sep 17 00:00:00 2001
From: Meisam <39205857+MFTabriz@users.noreply.github.com>
Date: Fri, 23 Jul 2021 20:00:04 +0200
Subject: [PATCH] Prevent remote image injection with /img/emoji/ in url
(#1245)
* test remote img blocking with /img/emoji/ in url
* fix emoji filter
prevent injection of remote img with /img/emoji in url
---
core/chat/events/events.go | 2 +-
core/chat/messageRendering_test.go | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/core/chat/events/events.go b/core/chat/events/events.go
index a66f44477..8c2e4ae83 100644
--- a/core/chat/events/events.go
+++ b/core/chat/events/events.go
@@ -139,7 +139,7 @@ func sanitize(raw string) string {
p.AllowElements("br", "p")
// Allow img tags from the the local emoji directory only
- p.AllowAttrs("src").Matching(regexp.MustCompile(`(?i)/img/emoji`)).OnElements("img")
+ p.AllowAttrs("src").Matching(regexp.MustCompile(`(?i)^/img/emoji`)).OnElements("img")
p.AllowAttrs("alt", "title").Matching(regexp.MustCompile(`:\S+:`)).OnElements("img")
p.AllowAttrs("class").OnElements("img")
diff --git a/core/chat/messageRendering_test.go b/core/chat/messageRendering_test.go
index 609b5d3ae..6a740f8cb 100644
--- a/core/chat/messageRendering_test.go
+++ b/core/chat/messageRendering_test.go
@@ -33,7 +33,7 @@ blah blah blah
// Test to make sure we block remote images in chat messages.
func TestBlockRemoteImages(t *testing.T) {
- messageContent := `
test `
+ messageContent := `
test `
expected := ` test
`
result := events.RenderAndSanitize(messageContent)