0

Prevent remote image injection with /img/emoji/ in url (#1245)

* test remote img blocking with /img/emoji/ in url

* fix emoji filter

prevent injection of remote img with /img/emoji in url
This commit is contained in:
Meisam 2021-07-23 20:00:04 +02:00 committed by GitHub
parent ae78283caf
commit a8e93de134
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 2 deletions

View File

@ -139,7 +139,7 @@ func sanitize(raw string) string {
p.AllowElements("br", "p") p.AllowElements("br", "p")
// Allow img tags from the the local emoji directory only // Allow img tags from the the local emoji directory only
p.AllowAttrs("src").Matching(regexp.MustCompile(`(?i)/img/emoji`)).OnElements("img") p.AllowAttrs("src").Matching(regexp.MustCompile(`(?i)^/img/emoji`)).OnElements("img")
p.AllowAttrs("alt", "title").Matching(regexp.MustCompile(`:\S+:`)).OnElements("img") p.AllowAttrs("alt", "title").Matching(regexp.MustCompile(`:\S+:`)).OnElements("img")
p.AllowAttrs("class").OnElements("img") p.AllowAttrs("class").OnElements("img")

View File

@ -33,7 +33,7 @@ blah blah blah
// Test to make sure we block remote images in chat messages. // Test to make sure we block remote images in chat messages.
func TestBlockRemoteImages(t *testing.T) { func TestBlockRemoteImages(t *testing.T) {
messageContent := `<img src="https://via.placeholder.com/350x150"> test ![](https://via.placeholder.com/350x150)` messageContent := `<img src="https://via.placeholder.com/img/emoji/350x150"> test ![](https://via.placeholder.com/img/emoji/350x150)`
expected := `<p> test </p>` expected := `<p> test </p>`
result := events.RenderAndSanitize(messageContent) result := events.RenderAndSanitize(messageContent)