Gek/disable remote images (#800)

* Disable images from anywhere but our emojis. Closes #756 * Add tests around images in chat messages * Update sanitizer + test
2025-11-04 13:27:21 +08:00 · 2021-03-08 23:20:15 -08:00
parent 319b6ebe11
commit de195f883e
2 changed files with 30 additions and 15 deletions
--- a/core/chat/messageRendering_test.go
+++ b/core/chat/messageRendering_test.go
@ -15,7 +15,7 @@ func TestRenderAndSanitize(t *testing.T) {

  ## blah blah blah
  [test link](http://owncast.online)
-  <img class="emoji" alt="bananadance.gif" width="600px" src="https://goth.land/img/emoji/bananadance.gif">
+  <img class="emoji" alt="bananadance.gif" width="600px" src="/img/emoji/bananadance.gif">
  <script src="http://hackers.org/hack.js"></script>
  `

@ -23,11 +23,32 @@ func TestRenderAndSanitize(t *testing.T) {
 Here is an iframe </p>
 blah blah blah
 <p><a href="http://owncast.online" rel="nofollow noreferrer noopener" target="_blank">test link</a>
-<img class="emoji" alt="bananadance.gif" src="https://goth.land/img/emoji/bananadance.gif"></p>`
+<img class="emoji" src="/img/emoji/bananadance.gif"></p>`

 	result := models.RenderAndSanitize(messageContent)
 	if result != expected {
 		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
 	}
-
+}
+
+// Test to make sure we block remote images in chat messages.
+func TestBlockRemoteImages(t *testing.T) {
+	messageContent := `<img src="https://via.placeholder.com/350x150"> test ![](https://via.placeholder.com/350x150)`
+	expected := `<p> test </p>`
+	result := models.RenderAndSanitize(messageContent)
+
+	if result != expected {
+		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
+	}
+}
+
+// Test to make sure emoji images are allowed in chat messages.
+func TestAllowEmojiImages(t *testing.T) {
+	messageContent := `<img src="/img/emoji/beerparrot.gif"> test ![](/img/emoji/beerparrot.gif)`
+	expected := `<p><img src="/img/emoji/beerparrot.gif"> test <img src="/img/emoji/beerparrot.gif"></p>`
+	result := models.RenderAndSanitize(messageContent)
+
+	if result != expected {
+		t.Errorf("message rendering/sanitation does not match expected.  Got\n%s, \n\n want:\n%s", result, expected)
+	}
 }
--- a/models/chatMessage.go
+++ b/models/chatMessage.go
@ -2,6 +2,7 @@ package models

 import (
 	"bytes"
+	"regexp"
 	"strings"
 	"time"

@ -96,6 +97,7 @@ func sanitize(raw string) string {

 	// Require URLs to be parseable by net/url.Parse
 	p.AllowStandardURLs()
+	p.RequireParseableURLs(true)

 	// Allow links
 	p.AllowAttrs("href").OnElements("a")
@ -106,19 +108,11 @@ func sanitize(raw string) string {
 	// Links will get target="_blank" added to them.
 	p.AddTargetBlankToFullyQualifiedLinks(true)

-	// Allow paragraphs
-	p.AllowElements("br")
-	p.AllowElements("p")
+	// Allow breaks
+	p.AllowElements("br", "p")

-	// Allow img tags
-	p.AllowElements("img")
-	p.AllowAttrs("src").OnElements("img")
-	p.AllowAttrs("alt").OnElements("img")
-	p.AllowAttrs("title").OnElements("img")
-
-	// Custom emoji have a class already specified.
-	// We should only allow classes on emoji, not *all* imgs.
-	// But TODO.
+	// Allow img tags from the the local emoji directory only
+	p.AllowAttrs("src", "alt", "class", "title").Matching(regexp.MustCompile(`(?i)/img/emoji`)).OnElements("img")
 	p.AllowAttrs("class").OnElements("img")

 	// Allow bold