Render and sanitize chat messages server-side. (#237)

* Render and sanitize chat messages server-side. Closes #235 * Render content.md server-side and return it in the client config * Remove showdown from web project * Update api spec * Move example user content file
2020-10-13 16:45:52 -07:00
parent 9eab6d7553
commit d7c3991b59
23 changed files with 408 additions and 5441 deletions
--- a/core/chat/messageRendering_test.go
+++ b/core/chat/messageRendering_test.go
@@ -0,0 +1,33 @@
+package chat
+
+import (
+	"testing"
+
+	"github.com/owncast/owncast/models"
+)
+
+// Test a bunch of arbitrary markup and markdown to make sure we get sanitized
+// and fully rendered HTML out of it.
+func TestRenderAndSanitize(t *testing.T) {
+	messageContent := `
+  Test one two three!  I go to http://yahoo.com and search for _sports_ and **answers**.
+  Here is an iframe <iframe src="http://yahoo.com"></iframe>
+
+  ## blah blah blah
+  [test link](http://owncast.online)
+  <img class="emoji" alt="bananadance.gif" width="600px" src="https://goth.land/img/emoji/bananadance.gif">
+  <script src="http://hackers.org/hack.js"></script>
+  `
+
+	expected := `<p>Test one two three!  I go to <a href="http://yahoo.com" rel="nofollow noreferrer noopener" target="_blank">http://yahoo.com</a> and search for <em>sports</em> and <strong>answers</strong>.
+Here is an iframe </p>
+blah blah blah
+<p><a href="http://owncast.online" rel="nofollow noreferrer noopener" target="_blank">test link</a>
+<img class="emoji" alt="bananadance.gif" src="https://goth.land/img/emoji/bananadance.gif"></p>`
+
+	result := models.RenderAndSanitize(messageContent)
+	if result != expected {
+		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
+	}
+
+}
--- a/core/chat/server.go
+++ b/core/chat/server.go
@@ -110,10 +110,17 @@ func (s *server) Listen() {
 			delete(s.Clients, c.socketID)
 			s.listener.ClientRemoved(c.ClientID)

-		// broadcast a message to all clients
+			// message was recieved from a client and should be sanitized, validated
+			// and distributed to other clients.
 		case msg := <-s.sendAllCh:
+			// Will turn markdown into html, sanitize user-supplied raw html
+			// and standardize this message into something safe we can send everyone else.
+			msg.RenderAndSanitizeMessageBody()
+
 			s.listener.MessageSent(msg)
 			s.sendAll(msg)
+
+			// Store in the message history
 			addMessage(msg)
 		case ping := <-s.pingCh:
 			fmt.Println("PING?", ping)