mirror of
https://github.com/LemmyNet/lemmy.git
synced 2024-05-10 14:02:39 +00:00
e8a52d3a5c
* Add markdown rule to add rel=nofollow for all links * Add markdown image rule to add local image proxy (fixes #1036) * comments * rewrite markdown image links working * add comment * perform markdown image processing in api/apub receivers * clippy * add db table to validate proxied links * rewrite link fields for avatar, banner etc * sql fmt * proxy links received over federation * add config option * undo post.url rewriting, move http route definition * add tests * proxy images through pictrs * testing * cleanup request.rs file * more cleanup (fixes #2611) * include url content type when sending post over apub (fixes #2611) * store post url content type in db * should be media_type * get rid of cache_remote_thumbnails setting, instead automatically take thumbnail from federation data if available. * fix tests * add setting disable_external_link_previews * federate post url as image depending on mime type * change setting again * machete * invert * support custom emoji * clippy * update defaults * add image proxy test, fix test * fix test * clippy * revert accidental changes * address review * clippy * Markdown link rule-dess (#4356) * Extracting opengraph_data to its own type. * A few additions for markdown-link-rule. --------- Co-authored-by: Nutomic <me@nutomic.com> * fix setting * use enum for image proxy setting * fix test configs * add config backwards compat * clippy * machete --------- Co-authored-by: Dessalines <dessalines@users.noreply.github.com>
247 lines
8.8 KiB
Rust
247 lines
8.8 KiB
Rust
use crate::settings::SETTINGS;
|
||
use markdown_it::{plugins::cmark::inline::image::Image, MarkdownIt};
|
||
use once_cell::sync::Lazy;
|
||
use url::Url;
|
||
use urlencoding::encode;
|
||
|
||
mod link_rule;
|
||
mod spoiler_rule;
|
||
|
||
static MARKDOWN_PARSER: Lazy<MarkdownIt> = Lazy::new(|| {
|
||
let mut parser = MarkdownIt::new();
|
||
markdown_it::plugins::cmark::add(&mut parser);
|
||
markdown_it::plugins::extra::add(&mut parser);
|
||
spoiler_rule::add(&mut parser);
|
||
link_rule::add(&mut parser);
|
||
|
||
parser
|
||
});
|
||
|
||
/// Replace special HTML characters in API parameters to prevent XSS attacks.
|
||
///
|
||
/// Taken from https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md#output-encoding-for-html-contexts
|
||
///
|
||
/// `>` is left in place because it is interpreted as markdown quote.
|
||
pub fn sanitize_html(text: &str) -> String {
|
||
text
|
||
.replace('&', "&")
|
||
.replace('<', "<")
|
||
.replace('\"', """)
|
||
.replace('\'', "'")
|
||
}
|
||
|
||
pub fn markdown_to_html(text: &str) -> String {
|
||
MARKDOWN_PARSER.parse(text).xrender()
|
||
}
|
||
|
||
/// Rewrites all links to remote domains in markdown, so they go through `/api/v3/image_proxy`.
|
||
pub fn markdown_rewrite_image_links(mut src: String) -> (String, Vec<Url>) {
|
||
let ast = MARKDOWN_PARSER.parse(&src);
|
||
let mut links_offsets = vec![];
|
||
|
||
// Walk the syntax tree to find positions of image links
|
||
ast.walk(|node, _depth| {
|
||
if let Some(image) = node.cast::<Image>() {
|
||
// srcmap is always present for image
|
||
// https://github.com/markdown-it-rust/markdown-it/issues/36#issuecomment-1777844387
|
||
let node_offsets = node.srcmap.expect("srcmap is none").get_byte_offsets();
|
||
// necessary for custom emojis which look like ``
|
||
let start_offset = node_offsets.1
|
||
- image.url.len()
|
||
- 1
|
||
- image
|
||
.title
|
||
.as_ref()
|
||
.map(|t| t.len() + 3)
|
||
.unwrap_or_default();
|
||
let end_offset = node_offsets.1 - 1;
|
||
|
||
links_offsets.push((start_offset, end_offset));
|
||
}
|
||
});
|
||
|
||
let mut links = vec![];
|
||
// Go through the collected links in reverse order
|
||
while let Some((start, end)) = links_offsets.pop() {
|
||
let content = src.get(start..end).unwrap_or_default();
|
||
// necessary for custom emojis which look like ``
|
||
let (url, extra) = if content.contains(' ') {
|
||
let split = content.split_once(' ').expect("split is valid");
|
||
(split.0, Some(split.1))
|
||
} else {
|
||
(content, None)
|
||
};
|
||
match Url::parse(url) {
|
||
Ok(parsed) => {
|
||
links.push(parsed.clone());
|
||
// If link points to remote domain, replace with proxied link
|
||
if parsed.domain() != Some(&SETTINGS.hostname) {
|
||
let mut proxied = format!(
|
||
"{}/api/v3/image_proxy?url={}",
|
||
SETTINGS.get_protocol_and_hostname(),
|
||
encode(url),
|
||
);
|
||
// restore custom emoji format
|
||
if let Some(extra) = extra {
|
||
proxied = format!("{proxied} {extra}");
|
||
}
|
||
src.replace_range(start..end, &proxied);
|
||
}
|
||
}
|
||
Err(_) => {
|
||
// If its not a valid url, replace with empty text
|
||
src.replace_range(start..end, "");
|
||
}
|
||
}
|
||
}
|
||
|
||
(src, links)
|
||
}
|
||
|
||
#[cfg(test)]
|
||
mod tests {
|
||
#![allow(clippy::unwrap_used)]
|
||
#![allow(clippy::indexing_slicing)]
|
||
|
||
use super::*;
|
||
use pretty_assertions::assert_eq;
|
||
|
||
#[test]
|
||
fn test_basic_markdown() {
|
||
let tests: Vec<_> = vec![
|
||
(
|
||
"headings",
|
||
"# h1\n## h2\n### h3\n#### h4\n##### h5\n###### h6",
|
||
"<h1>h1</h1>\n<h2>h2</h2>\n<h3>h3</h3>\n<h4>h4</h4>\n<h5>h5</h5>\n<h6>h6</h6>\n"
|
||
),
|
||
(
|
||
"line breaks",
|
||
"First\rSecond",
|
||
"<p>First\nSecond</p>\n"),
|
||
(
|
||
"emphasis",
|
||
"__bold__ **bold** *italic* ***bold+italic***",
|
||
"<p><strong>bold</strong> <strong>bold</strong> <em>italic</em> <em><strong>bold+italic</strong></em></p>\n"
|
||
),
|
||
(
|
||
"blockquotes",
|
||
"> #### Hello\n > \n > - Hola\n > - 안영 \n>> Goodbye\n",
|
||
"<blockquote>\n<h4>Hello</h4>\n<ul>\n<li>Hola</li>\n<li>안영</li>\n</ul>\n<blockquote>\n<p>Goodbye</p>\n</blockquote>\n</blockquote>\n"
|
||
),
|
||
(
|
||
"lists (ordered, unordered)",
|
||
"1. pen\n2. apple\n3. apple pen\n- pen\n- pineapple\n- pineapple pen",
|
||
"<ol>\n<li>pen</li>\n<li>apple</li>\n<li>apple pen</li>\n</ol>\n<ul>\n<li>pen</li>\n<li>pineapple</li>\n<li>pineapple pen</li>\n</ul>\n"
|
||
),
|
||
(
|
||
"code and code blocks",
|
||
"this is my amazing `code snippet` and my amazing ```code block```",
|
||
"<p>this is my amazing <code>code snippet</code> and my amazing <code>code block</code></p>\n"
|
||
),
|
||
// Links with added nofollow attribute
|
||
(
|
||
"links",
|
||
"[Lemmy](https://join-lemmy.org/ \"Join Lemmy!\")",
|
||
"<p><a href=\"https://join-lemmy.org/\" rel=\"nofollow\" title=\"Join Lemmy!\">Lemmy</a></p>\n"
|
||
),
|
||
// Remote images with proxy
|
||
(
|
||
"images",
|
||
"![My linked image](https://example.com/image.png \"image alt text\")",
|
||
"<p><img src=\"https://example.com/image.png\" alt=\"My linked image\" title=\"image alt text\" /></p>\n"
|
||
),
|
||
// Local images without proxy
|
||
(
|
||
"images",
|
||
"![My linked image](https://lemmy-alpha/image.png \"image alt text\")",
|
||
"<p><img src=\"https://lemmy-alpha/image.png\" alt=\"My linked image\" title=\"image alt text\" /></p>\n"
|
||
),
|
||
// Ensure spoiler plugin is added
|
||
(
|
||
"basic spoiler",
|
||
"::: spoiler click to see more\nhow spicy!\n:::\n",
|
||
"<details><summary>click to see more</summary><p>how spicy!\n</p></details>\n"
|
||
),
|
||
(
|
||
"escape html special chars",
|
||
"<script>alert('xss');</script> hello &\"",
|
||
"<p><script>alert(‘xss’);</script> hello &"</p>\n"
|
||
)
|
||
];
|
||
|
||
tests.iter().for_each(|&(msg, input, expected)| {
|
||
let result = markdown_to_html(input);
|
||
|
||
assert_eq!(
|
||
result, expected,
|
||
"Testing {}, with original input '{}'",
|
||
msg, input
|
||
);
|
||
});
|
||
}
|
||
|
||
#[test]
|
||
fn test_markdown_proxy_images() {
|
||
let tests: Vec<_> =
|
||
vec",
|
||
"",
|
||
),
|
||
(
|
||
"local image unproxied",
|
||
"",
|
||
"",
|
||
),
|
||
(
|
||
"multiple image links",
|
||
" ",
|
||
" ",
|
||
),
|
||
(
|
||
"empty link handled",
|
||
"![image]()",
|
||
"![image]()"
|
||
),
|
||
(
|
||
"empty label handled",
|
||
"",
|
||
""
|
||
),
|
||
(
|
||
"invalid image link removed",
|
||
"",
|
||
"![image]()"
|
||
),
|
||
(
|
||
"label with nested markdown handled",
|
||
"",
|
||
""
|
||
),
|
||
(
|
||
"custom emoji support",
|
||
r#""#,
|
||
r#""#
|
||
)
|
||
];
|
||
|
||
tests.iter().for_each(|&(msg, input, expected)| {
|
||
let result = markdown_rewrite_image_links(input.to_string());
|
||
|
||
assert_eq!(
|
||
result.0, expected,
|
||
"Testing {}, with original input '{}'",
|
||
msg, input
|
||
);
|
||
});
|
||
}
|
||
|
||
#[test]
|
||
fn test_sanitize_html() {
|
||
let sanitized = sanitize_html("<script>alert('xss');</script> hello &\"'");
|
||
let expected = "<script>alert('xss');</script> hello &"'";
|
||
assert_eq!(expected, sanitized)
|
||
}
|
||
}
|