Gek/disable remote images (#800)

* Disable images from anywhere but our emojis. Closes #756

* Add tests around images in chat messages

* Update sanitizer + test

models/chatMessage.go

@@ -2,6 +2,7 @@ package models
 
 import (
 	"bytes"
+	"regexp"
 	"strings"
 	"time"
 
@@ -96,6 +97,7 @@ func sanitize(raw string) string {
 
 	// Require URLs to be parseable by net/url.Parse
 	p.AllowStandardURLs()
+	p.RequireParseableURLs(true)
 
 	// Allow links
 	p.AllowAttrs("href").OnElements("a")
@@ -106,19 +108,11 @@ func sanitize(raw string) string {
 	// Links will get target="_blank" added to them.
 	p.AddTargetBlankToFullyQualifiedLinks(true)
 
-	// Allow paragraphs
-	p.AllowElements("br")
-	p.AllowElements("p")
+	// Allow breaks
+	p.AllowElements("br", "p")
 
-	// Allow img tags
-	p.AllowElements("img")
-	p.AllowAttrs("src").OnElements("img")
-	p.AllowAttrs("alt").OnElements("img")
-	p.AllowAttrs("title").OnElements("img")
-
-	// Custom emoji have a class already specified.
-	// We should only allow classes on emoji, not *all* imgs.
-	// But TODO.
+	// Allow img tags from the the local emoji directory only
+	p.AllowAttrs("src", "alt", "class", "title").Matching(regexp.MustCompile(`(?i)/img/emoji`)).OnElements("img")
 	p.AllowAttrs("class").OnElements("img")
 
 	// Allow bold