replace common markdown filter with limited html version to prevent users deanon by remote images request

12 months ago · 2d2e79cd07
3 changed files with 42 additions and 1 deletions
--- a/.env
+++ b/.env
@ -19,7 +19,7 @@ APP_ENV=dev
				@@ -19,7 +19,7 @@ APP_ENV=dev
 APP_SECRET=EDIT_ME
 ###< symfony/framework-bundle ###

-APP_VERSION=1.2.0
+APP_VERSION=1.2.1

 APP_NAME=KevaChat

--- a/src/Twig/AppExtension.php
+++ b/src/Twig/AppExtension.php
@ -52,6 +52,20 @@ class AppExtension extends AbstractExtension
				@@ -52,6 +52,20 @@ class AppExtension extends AbstractExtension
                    'mentionToMarkdown'
                ]
            ),
+            new TwigFilter(
+                'url_to_html',
+                [
+                    $this,
+                    'urlToHtml'
+                ]
+            ),
+            new TwigFilter(
+                'mention_to_html',
+                [
+                    $this,
+                    'mentionToHtml'
+                ]
+            ),
            new TwigFilter(
                'keva_namespace_value',
                [
@ -170,6 +184,28 @@ class AppExtension extends AbstractExtension
				@@ -170,6 +184,28 @@ class AppExtension extends AbstractExtension
        );
    }

+    public function urlToHtml(
+        string $text
+    ): string
+    {
+        return preg_replace(
+            '~(https?://(?:www\.)?[^\(\s\)]+)~i',
+            '<a href="$1">$1</a>',
+            $text
+        );
+    }
+
+    public function mentionToHtml(
+        string $text
+    ): string
+    {
+        return preg_replace(
+            '~@([A-z0-9]{64})~i',
+            '<a href="#$1">@$1</a>',
+            $text
+        );
+    }
+
    private function plural(int $number, array $texts)
    {
        $cases = [2, 0, 1, 1, 1, 2];
--- a/templates/default/room/index.html.twig
+++ b/templates/default/room/index.html.twig
@ -34,8 +34,13 @@
				@@ -34,8 +34,13 @@
                            </svg>
                        </span>
                    {% endif %}
+                    {# markdown filter enabled could deanon chat users by external image request, disabled
                    <br />
                    {{ post.message | message_to_markdown | markdown_to_html }}
+                    #}
+                    <p>
+                        {{ post.message | trim | nl2br | url_to_html | mention_to_html }}
+                    </p>
                </li>
            {% endfor %}
        </ul>