From c16c0719528102a8e0af4bf66f39313064789ff4 Mon Sep 17 00:00:00 2001
From: ghost <localhost>
Date: Fri, 8 Dec 2023 20:22:10 +0200
Subject: [PATCH] apply markdown whitelist filters only to prevent ping from
 remote includes

---
 templates/default/room/index.html.twig | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/templates/default/room/index.html.twig b/templates/default/room/index.html.twig
index 26508bb..f26d097 100644
--- a/templates/default/room/index.html.twig
+++ b/templates/default/room/index.html.twig
@@ -34,13 +34,16 @@
                             </svg>
                         </span>
                     {% endif %}
-                    {# markdown filter enabled could deanon chat users by external image request, disabled
                     <br />
-                    {{ post.message | message_to_markdown | markdown_to_html }}
-                    #}
-                    <p>
-                        {{ post.message | trim | nl2br }}
-                    </p>
+                    {# apply markdown whitelist filters only to prevent ping from remote includes #}
+                    {{
+                        post.message | trim
+                                     | striptags
+                                     | markdown_to_html
+                                     | striptags
+                                     | message_to_markdown
+                                     | markdown_to_html
+                    }}
                 </li>
             {% endfor %}
         </ul>