Prevent remote image injection with /img/emoji/ in url (#1245)

* test remote img blocking with /img/emoji/ in url * fix emoji filter prevent injection of remote img with /img/emoji in url
2021-07-23 20:00:04 +02:00
parent ae78283caf
commit a8e93de134
2 changed files with 2 additions and 2 deletions
--- a/core/chat/events/events.go
+++ b/core/chat/events/events.go
@@ -139,7 +139,7 @@ func sanitize(raw string) string {
 	p.AllowElements("br", "p")

 	// Allow img tags from the the local emoji directory only
-	p.AllowAttrs("src").Matching(regexp.MustCompile(`(?i)/img/emoji`)).OnElements("img")
+	p.AllowAttrs("src").Matching(regexp.MustCompile(`(?i)^/img/emoji`)).OnElements("img")
 	p.AllowAttrs("alt", "title").Matching(regexp.MustCompile(`:\S+:`)).OnElements("img")
 	p.AllowAttrs("class").OnElements("img")