Gek/disable remote images (#800)

* Disable images from anywhere but our emojis. Closes #756

* Add tests around images in chat messages

* Update sanitizer + test

core/chat/messageRendering_test.go

@@ -15,7 +15,7 @@ func TestRenderAndSanitize(t *testing.T) {
 
   ## blah blah blah
   [test link](http://owncast.online)
-  <img class="emoji" alt="bananadance.gif" width="600px" src="https://goth.land/img/emoji/bananadance.gif">
+  <img class="emoji" alt="bananadance.gif" width="600px" src="/img/emoji/bananadance.gif">
   <script src="http://hackers.org/hack.js"></script>
   `
 
@@ -23,11 +23,32 @@ func TestRenderAndSanitize(t *testing.T) {
 Here is an iframe </p>
 blah blah blah
 <p><a href="http://owncast.online" rel="nofollow noreferrer noopener" target="_blank">test link</a>
-<img class="emoji" alt="bananadance.gif" src="https://goth.land/img/emoji/bananadance.gif"></p>`
+<img class="emoji" src="/img/emoji/bananadance.gif"></p>`
 
 	result := models.RenderAndSanitize(messageContent)
 	if result != expected {
 		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
 	}
-
+}
+
+// Test to make sure we block remote images in chat messages.
+func TestBlockRemoteImages(t *testing.T) {
+	messageContent := `<img src="https://via.placeholder.com/350x150"> test ![](https://via.placeholder.com/350x150)`
+	expected := `<p> test </p>`
+	result := models.RenderAndSanitize(messageContent)
+
+	if result != expected {
+		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
+	}
+}
+
+// Test to make sure emoji images are allowed in chat messages.
+func TestAllowEmojiImages(t *testing.T) {
+	messageContent := `<img src="/img/emoji/beerparrot.gif"> test ![](/img/emoji/beerparrot.gif)`
+	expected := `<p><img src="/img/emoji/beerparrot.gif"> test <img src="/img/emoji/beerparrot.gif"></p>`
+	result := models.RenderAndSanitize(messageContent)
+
+	if result != expected {
+		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
+	}
 }

models/chatMessage.go

@@ -2,6 +2,7 @@ package models
 
 import (
 	"bytes"
+	"regexp"
 	"strings"
 	"time"
 
@@ -96,6 +97,7 @@ func sanitize(raw string) string {
 
 	// Require URLs to be parseable by net/url.Parse
 	p.AllowStandardURLs()
+	p.RequireParseableURLs(true)
 
 	// Allow links
 	p.AllowAttrs("href").OnElements("a")
@@ -106,19 +108,11 @@ func sanitize(raw string) string {
 	// Links will get target="_blank" added to them.
 	p.AddTargetBlankToFullyQualifiedLinks(true)
 
-	// Allow paragraphs
+	// Allow breaks
-	p.AllowElements("br")
+	p.AllowElements("br", "p")
-	p.AllowElements("p")
 
-	// Allow img tags
+	// Allow img tags from the the local emoji directory only
-	p.AllowElements("img")
+	p.AllowAttrs("src", "alt", "class", "title").Matching(regexp.MustCompile(`(?i)/img/emoji`)).OnElements("img")
-	p.AllowAttrs("src").OnElements("img")
-	p.AllowAttrs("alt").OnElements("img")
-	p.AllowAttrs("title").OnElements("img")
-
-	// Custom emoji have a class already specified.
-	// We should only allow classes on emoji, not *all* imgs.
-	// But TODO.
 	p.AllowAttrs("class").OnElements("img")
 
 	// Allow bold