dont allow []() url regex by default, only for people with permission like staff or in newsposts, announcements, etc.

3 years ago · 51f729b367
parent daf89c5548
commit 51f729b367
9 changed files with 18 additions and 15 deletions
--- a/helpers/posting/markdown.js
+++ b/helpers/posting/markdown.js
@ -10,7 +10,8 @@ const greentextRegex = /^&gt;((?!&gt;\d+|&gt;&gt;&#x2F;\w+(&#x2F;\d*)?|&gt;&gt;#
 	, italicRegex = /\*\*(.+?)\*\*/gm
 	, spoilerRegex = /\|\|([\s\S]+?)\|\|/gm
 	, detectedRegex = /(\(\(\(.+?\)\)\))/gm
-	, linkRegex = /\[([^\[][^\]]*?)\]\((https?\:&#x2F;&#x2F;[^\s<>\[\]{}|\\^)]+)\)|(https\:&#x2F;&#x2F;[^\s<>\[\]{}|\\^]+)/g
+	, linkRegex = /(https?\:&#x2F;&#x2F;[^\s<>\[\]{}|\\^]+/g
+	, aLinkRegex = /\[([^\[][^\]]*?)\]\((https?\:&#x2F;&#x2F;[^\s<>\[\]{}|\\^)]+)\)|(https?\:&#x2F;&#x2F;[^\s<>\[\]{}|\\^]+)/g
 	, codeRegex = /(?:(?<language>[a-z+]{1,10})\r?\n)?(?<code>[\s\S]+)/i
 	, includeSplitRegex = /(\[code\][\s\S]+?\[\/code\])/gm
 	, splitRegex = /\[code\]([\s\S]+?)\[\/code\]/gm
@ -30,7 +31,7 @@ const greentextRegex = /^&gt;((?!&gt;\d+|&gt;&gt;&#x2F;\w+(&#x2F;\d*)?|&gt;&gt;#
 		{ regex: italicRegex, cb: (match, italic) => `<span class='em'>${italic}</span>` },
 		{ regex: spoilerRegex, cb: (match, spoiler) => `<span class='spoiler'>${spoiler}</span>` },
 		{ regex: monoRegex, cb: (match, mono) => `<span class='mono'>${mono}</span>` },
-		{ regex: linkRegex, cb: linkmatch },
+		{ regex: linkRegex, aRegex: aLinkRegex, cb: linkmatch },
 		{ regex: detectedRegex, cb: (match, detected) => `<span class='detected'>${detected}</span>` },
 		{ regex: diceroll.regexMarkdown, cb: diceroll.markdown },
 	];
@ -52,7 +53,7 @@ module.exports = {
 		return chunks.join('');
 	},

-	markdown: (text) => {
+	markdown: (text, allowAdvanced=false) => {
 		const chunks = text.split(splitRegex);
 		const { highlightOptions } = config.get;
 		for (let i = 0; i < chunks.length; i++) {
@ -60,7 +61,7 @@ module.exports = {
 			if (i % 2 === 0) {
 				const escaped = escape(chunks[i]);
 				const newlineFix = escaped.replace(/^\r?\n/,''); //fix ending newline because of codeblock
-				chunks[i] = module.exports.processRegularChunk(newlineFix);
+				chunks[i] = module.exports.processRegularChunk(newlineFix, allowAdvanced);
 			} else {
 				chunks[i] = module.exports.processCodeChunk(chunks[i], highlightOptions);
 			}
@ -89,9 +90,11 @@ module.exports = {
 		return `<span class='code'>${escape(trimFix)}</span>`;
 	},

-	processRegularChunk: (text) => {
+	processRegularChunk: (text, allowAdvanced) => {
 		for (let i = 0; i < replacements.length; i++) {
-			text = text.replace(replacements[i].regex, replacements[i].cb);
+			//if allowAdvanced is true, use aRegex if available
+			const replaceRegex = allowAdvanced === true && replacements[i].aRegex || replacements[i].regex;
+			text = text.replace(replaceRegex, replacements[i].cb);
 		}
 		return text;
 	},
--- a/helpers/posting/message.js
+++ b/helpers/posting/message.js
@ -5,7 +5,7 @@ const quoteHandler = require(__dirname+'/quotes.js')
 	, sanitizeOptions = require(__dirname+'/sanitizeoptions.js')
 	, sanitize = require('sanitize-html');

-module.exports = async (inputMessage, boardName, threadId=null) => {
+module.exports = async (inputMessage, boardName, threadId=null, allowAdvanced=false) => {

 	let message = inputMessage;
 	let quotes = [];
@ -13,7 +13,7 @@ module.exports = async (inputMessage, boardName, threadId=null) => {

 	//markdown a post, link the quotes, sanitize and return message and quote arrays
 	if (message && message.length > 0) {
-		message = markdown(message);
+		message = markdown(message, allowAdvanced);
 		const { quotedMessage, threadQuotes, crossQuotes } = await quoteHandler.process(boardName, message, threadId);
 		message = quotedMessage;
 		quotes = threadQuotes;
--- a/models/forms/addcustompage.js
+++ b/models/forms/addcustompage.js
@ -9,7 +9,7 @@ const { CustomPages } = require(__dirname+'/../../db/')
 module.exports = async (req, res, next) => {

 	const message = prepareMarkdown(req.body.message, false);
-	const { message: markdownMessage } = await messageHandler(message, null, null);
+	const { message: markdownMessage } = await messageHandler(message, null, null, true);

 	const post = {
 		'board': req.params.board,
--- a/models/forms/addnews.js
+++ b/models/forms/addnews.js
@ -9,7 +9,7 @@ const { News } = require(__dirname+'/../../db/')
 module.exports = async (req, res, next) => {

 	const message = prepareMarkdown(req.body.message, false);
-	const { message: markdownNews } = await messageHandler(message, null, null);
+	const { message: markdownNews } = await messageHandler(message, null, null, true);

 	const post = {
 		'title': req.body.title,
--- a/models/forms/changeboardsettings.js
+++ b/models/forms/changeboardsettings.js
@ -26,7 +26,7 @@ module.exports = async (req, res, next) => {
 	const announcement = req.body.announcement === null ? null : prepareMarkdown(req.body.announcement, false);
 	let markdownAnnouncement = oldSettings.announcement.markdown;
 	if (announcement !== oldSettings.announcement.raw) {
-		({ message: markdownAnnouncement } = await messageHandler(announcement, req.params.board, null))
+		({ message: markdownAnnouncement } = await messageHandler(announcement, req.params.board, null, true))
 	}

 	let moderators = req.body.moderators != null ? req.body.moderators.split(/\r?\n/).filter(n => n && !(n == res.locals.board.owner)).slice(0,10) : [];
--- a/models/forms/changeglobalsettings.js
+++ b/models/forms/changeglobalsettings.js
@ -19,7 +19,7 @@ module.exports = async (req, res, next) => {
 	const announcement = req.body.global_announcement === null ? null : prepareMarkdown(req.body.global_announcement, false);
 	let markdownAnnouncement = oldSettings.globalAnnouncement.markdown;
 	if (announcement !== oldSettings.globalAnnouncement.raw) {
-		({ message: markdownAnnouncement } = await messageHandler(announcement, null, null))
+		({ message: markdownAnnouncement } = await messageHandler(announcement, null, null, true))
 	}

 	const newSettings = {
--- a/models/forms/editnews.js
+++ b/models/forms/editnews.js
@ -9,7 +9,7 @@ const { News } = require(__dirname+'/../../db/')
 module.exports = async (req, res, next) => {

 	const message = prepareMarkdown(req.body.message, false);
-	const { message: markdownNews } = await messageHandler(message, null, null);
+	const { message: markdownNews } = await messageHandler(message, null, null, true);

 	const updated = await News.updateOne(req.body.news_id, req.body.title, message, markdownNews).then(r => r.matchedCount);

--- a/models/forms/editpost.js
+++ b/models/forms/editpost.js
@ -85,7 +85,7 @@ todo: handle some more situations
 		board.settings, board.owner, res.locals.user ? res.locals.user.username : null);
 	//new message and quotes
 	const nomarkup = prepareMarkdown(req.body.message, false);
-	const { message, quotes, crossquotes } = await messageHandler(nomarkup, req.body.board, post.thread);
+	const { message, quotes, crossquotes } = await messageHandler(nomarkup, req.body.board, post.thread, true);
 	//todo: email and subject (probably dont need any transformation since staff bypass limits on forceanon, and it doesnt have to account for sage/etc

 	//intersection/difference of quotes sets for linking and unlinking
--- a/models/forms/makepost.js
+++ b/models/forms/makepost.js
@ -412,7 +412,7 @@ ${res.locals.numFiles > 0 ? req.files.file.map(f => f.name+'|'+(f.phash || '')).
 		res.locals.board.settings, res.locals.board.owner, res.locals.user ? res.locals.user.username : null);
 	//get message, quotes and crossquote array
 	const nomarkup = prepareMarkdown(req.body.message, true);
-	const { message, quotes, crossquotes } = await messageHandler(nomarkup, req.params.board, req.body.thread);
+	const { message, quotes, crossquotes } = await messageHandler(nomarkup, req.params.board, req.body.thread, permLevel < 4);

 	//build post data for db. for some reason all the property names are lower case :^)
 	const data = {