replace common markdown filter with limited html version to prevent users deanon by remote images request

2025-01-10 23:08:14 +00:00 · 2023-12-08 03:40:02 +02:00 · 2023-12-08 03:40:02 +02:00 · 2d2e79cd07
commit 2d2e79cd07
parent 2327cc7d0a
3 changed files with 42 additions and 1 deletions
--- a/.env
+++ b/.env
@ -19,7 +19,7 @@ APP_ENV=dev
 APP_SECRET=EDIT_ME
 ###< symfony/framework-bundle ###
-APP_VERSION=1.2.0
+APP_VERSION=1.2.1
 APP_NAME=KevaChat
--- a/src/Twig/AppExtension.php
+++ b/src/Twig/AppExtension.php
@ -52,6 +52,20 @@ class AppExtension extends AbstractExtension
                    'mentionToMarkdown'
                ]
            ),
            new TwigFilter(
                'url_to_html',
                [
                    $this,
                    'urlToHtml'
                ]
            ),
            new TwigFilter(
                'mention_to_html',
                [
                    $this,
                    'mentionToHtml'
                ]
            ),
            new TwigFilter(
                'keva_namespace_value',
                [
@ -170,6 +184,28 @@ class AppExtension extends AbstractExtension
        );
    }
    public function urlToHtml(
        string $text
    ): string
    {
        return preg_replace(
            '~(https?://(?:www\.)?[^\(\s\)]+)~i',
            '<a href="$1">$1</a>',
            $text
        );
    }
    public function mentionToHtml(
        string $text
    ): string
    {
        return preg_replace(
            '~@([A-z0-9]{64})~i',
            '<a href="#$1">@$1</a>',
            $text
        );
    }
    private function plural(int $number, array $texts)
    {
        $cases = [2, 0, 1, 1, 1, 2];
--- a/templates/default/room/index.html.twig
+++ b/templates/default/room/index.html.twig
@ -34,8 +34,13 @@
                            </svg>
                        </span>
                    {% endif %}
                    {# markdown filter enabled could deanon chat users by external image request, disabled
                    <br />
                    {{ post.message | message_to_markdown | markdown_to_html }}
                    #}
                    <p>
                        {{ post.message | trim | nl2br | url_to_html | mention_to_html }}
                    </p>
                </li>
            {% endfor %}
        </ul>