Gek/disable remote images (#800)

* Disable images from anywhere but our emojis. Closes #756 * Add tests around images in chat messages * Update sanitizer + test
2021-03-08 23:20:15 -08:00
parent 319b6ebe11
commit de195f883e
2 changed files with 30 additions and 15 deletions
--- a/core/chat/messageRendering_test.go
+++ b/core/chat/messageRendering_test.go
@@ -15,7 +15,7 @@ func TestRenderAndSanitize(t *testing.T) {

  ## blah blah blah
  [test link](http://owncast.online)
-  <img class="emoji" alt="bananadance.gif" width="600px" src="https://goth.land/img/emoji/bananadance.gif">
+  <img class="emoji" alt="bananadance.gif" width="600px" src="/img/emoji/bananadance.gif">
  <script src="http://hackers.org/hack.js"></script>
  `

@@ -23,11 +23,32 @@ func TestRenderAndSanitize(t *testing.T) {
 Here is an iframe </p>
 blah blah blah
 <p><a href="http://owncast.online" rel="nofollow noreferrer noopener" target="_blank">test link</a>
-<img class="emoji" alt="bananadance.gif" src="https://goth.land/img/emoji/bananadance.gif"></p>`
+<img class="emoji" src="/img/emoji/bananadance.gif"></p>`

 	result := models.RenderAndSanitize(messageContent)
 	if result != expected {
 		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
 	}
-
+}
+
+// Test to make sure we block remote images in chat messages.
+func TestBlockRemoteImages(t *testing.T) {
+	messageContent := `<img src="https://via.placeholder.com/350x150"> test ![](https://via.placeholder.com/350x150)`
+	expected := `<p> test </p>`
+	result := models.RenderAndSanitize(messageContent)
+
+	if result != expected {
+		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
+	}
+}
+
+// Test to make sure emoji images are allowed in chat messages.
+func TestAllowEmojiImages(t *testing.T) {
+	messageContent := `<img src="/img/emoji/beerparrot.gif"> test ![](/img/emoji/beerparrot.gif)`
+	expected := `<p><img src="/img/emoji/beerparrot.gif"> test <img src="/img/emoji/beerparrot.gif"></p>`
+	result := models.RenderAndSanitize(messageContent)
+
+	if result != expected {
+		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
+	}
 }