Prevent remote image injection with /img/emoji/ in url (#1245)
* test remote img blocking with /img/emoji/ in url * fix emoji filter prevent injection of remote img with /img/emoji in url
This commit is contained in:
parent
ae78283caf
commit
a8e93de134
@ -139,7 +139,7 @@ func sanitize(raw string) string {
|
|||||||
p.AllowElements("br", "p")
|
p.AllowElements("br", "p")
|
||||||
|
|
||||||
// Allow img tags from the the local emoji directory only
|
// Allow img tags from the the local emoji directory only
|
||||||
p.AllowAttrs("src").Matching(regexp.MustCompile(`(?i)/img/emoji`)).OnElements("img")
|
p.AllowAttrs("src").Matching(regexp.MustCompile(`(?i)^/img/emoji`)).OnElements("img")
|
||||||
p.AllowAttrs("alt", "title").Matching(regexp.MustCompile(`:\S+:`)).OnElements("img")
|
p.AllowAttrs("alt", "title").Matching(regexp.MustCompile(`:\S+:`)).OnElements("img")
|
||||||
p.AllowAttrs("class").OnElements("img")
|
p.AllowAttrs("class").OnElements("img")
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ blah blah blah
|
|||||||
|
|
||||||
// Test to make sure we block remote images in chat messages.
|
// Test to make sure we block remote images in chat messages.
|
||||||
func TestBlockRemoteImages(t *testing.T) {
|
func TestBlockRemoteImages(t *testing.T) {
|
||||||
messageContent := `<img src="https://via.placeholder.com/350x150"> test ![](https://via.placeholder.com/350x150)`
|
messageContent := `<img src="https://via.placeholder.com/img/emoji/350x150"> test ![](https://via.placeholder.com/img/emoji/350x150)`
|
||||||
expected := `<p> test </p>`
|
expected := `<p> test </p>`
|
||||||
result := events.RenderAndSanitize(messageContent)
|
result := events.RenderAndSanitize(messageContent)
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user