From 51f729b367280b6e9e3773a28521bc9f109ab450 Mon Sep 17 00:00:00 2001 From: Thomas Lynch Date: Fri, 12 Feb 2021 13:51:07 +0000 Subject: [PATCH] dont allow []() url regex by default, only for people with permission like staff or in newsposts, announcements, etc. --- helpers/posting/markdown.js | 15 +++++++++------ helpers/posting/message.js | 4 ++-- models/forms/addcustompage.js | 2 +- models/forms/addnews.js | 2 +- models/forms/changeboardsettings.js | 2 +- models/forms/changeglobalsettings.js | 2 +- models/forms/editnews.js | 2 +- models/forms/editpost.js | 2 +- models/forms/makepost.js | 2 +- 9 files changed, 18 insertions(+), 15 deletions(-) diff --git a/helpers/posting/markdown.js b/helpers/posting/markdown.js index b24f2080..8bc1f694 100644 --- a/helpers/posting/markdown.js +++ b/helpers/posting/markdown.js @@ -10,7 +10,8 @@ const greentextRegex = /^>((?!>\d+|>>/\w+(/\d*)?|>># , italicRegex = /\*\*(.+?)\*\*/gm , spoilerRegex = /\|\|([\s\S]+?)\|\|/gm , detectedRegex = /(\(\(\(.+?\)\)\))/gm - , linkRegex = /\[([^\[][^\]]*?)\]\((https?\://[^\s<>\[\]{}|\\^)]+)\)|(https\://[^\s<>\[\]{}|\\^]+)/g + , linkRegex = /(https?\://[^\s<>\[\]{}|\\^]+/g + , aLinkRegex = /\[([^\[][^\]]*?)\]\((https?\://[^\s<>\[\]{}|\\^)]+)\)|(https?\://[^\s<>\[\]{}|\\^]+)/g , codeRegex = /(?:(?[a-z+]{1,10})\r?\n)?(?[\s\S]+)/i , includeSplitRegex = /(\[code\][\s\S]+?\[\/code\])/gm , splitRegex = /\[code\]([\s\S]+?)\[\/code\]/gm @@ -30,7 +31,7 @@ const greentextRegex = /^>((?!>\d+|>>/\w+(/\d*)?|>># { regex: italicRegex, cb: (match, italic) => `${italic}` }, { regex: spoilerRegex, cb: (match, spoiler) => `${spoiler}` }, { regex: monoRegex, cb: (match, mono) => `${mono}` }, - { regex: linkRegex, cb: linkmatch }, + { regex: linkRegex, aRegex: aLinkRegex, cb: linkmatch }, { regex: detectedRegex, cb: (match, detected) => `${detected}` }, { regex: diceroll.regexMarkdown, cb: diceroll.markdown }, ]; @@ -52,7 +53,7 @@ module.exports = { return chunks.join(''); }, - markdown: (text) => { + markdown: (text, allowAdvanced=false) => { const chunks = text.split(splitRegex); const { highlightOptions } = config.get; for (let i = 0; i < chunks.length; i++) { @@ -60,7 +61,7 @@ module.exports = { if (i % 2 === 0) { const escaped = escape(chunks[i]); const newlineFix = escaped.replace(/^\r?\n/,''); //fix ending newline because of codeblock - chunks[i] = module.exports.processRegularChunk(newlineFix); + chunks[i] = module.exports.processRegularChunk(newlineFix, allowAdvanced); } else { chunks[i] = module.exports.processCodeChunk(chunks[i], highlightOptions); } @@ -89,9 +90,11 @@ module.exports = { return `${escape(trimFix)}`; }, - processRegularChunk: (text) => { + processRegularChunk: (text, allowAdvanced) => { for (let i = 0; i < replacements.length; i++) { - text = text.replace(replacements[i].regex, replacements[i].cb); + //if allowAdvanced is true, use aRegex if available + const replaceRegex = allowAdvanced === true && replacements[i].aRegex || replacements[i].regex; + text = text.replace(replaceRegex, replacements[i].cb); } return text; }, diff --git a/helpers/posting/message.js b/helpers/posting/message.js index bf91b110..cb392fee 100644 --- a/helpers/posting/message.js +++ b/helpers/posting/message.js @@ -5,7 +5,7 @@ const quoteHandler = require(__dirname+'/quotes.js') , sanitizeOptions = require(__dirname+'/sanitizeoptions.js') , sanitize = require('sanitize-html'); -module.exports = async (inputMessage, boardName, threadId=null) => { +module.exports = async (inputMessage, boardName, threadId=null, allowAdvanced=false) => { let message = inputMessage; let quotes = []; @@ -13,7 +13,7 @@ module.exports = async (inputMessage, boardName, threadId=null) => { //markdown a post, link the quotes, sanitize and return message and quote arrays if (message && message.length > 0) { - message = markdown(message); + message = markdown(message, allowAdvanced); const { quotedMessage, threadQuotes, crossQuotes } = await quoteHandler.process(boardName, message, threadId); message = quotedMessage; quotes = threadQuotes; diff --git a/models/forms/addcustompage.js b/models/forms/addcustompage.js index 27dd7b07..8745761f 100644 --- a/models/forms/addcustompage.js +++ b/models/forms/addcustompage.js @@ -9,7 +9,7 @@ const { CustomPages } = require(__dirname+'/../../db/') module.exports = async (req, res, next) => { const message = prepareMarkdown(req.body.message, false); - const { message: markdownMessage } = await messageHandler(message, null, null); + const { message: markdownMessage } = await messageHandler(message, null, null, true); const post = { 'board': req.params.board, diff --git a/models/forms/addnews.js b/models/forms/addnews.js index 1f4ec88a..97504cf1 100644 --- a/models/forms/addnews.js +++ b/models/forms/addnews.js @@ -9,7 +9,7 @@ const { News } = require(__dirname+'/../../db/') module.exports = async (req, res, next) => { const message = prepareMarkdown(req.body.message, false); - const { message: markdownNews } = await messageHandler(message, null, null); + const { message: markdownNews } = await messageHandler(message, null, null, true); const post = { 'title': req.body.title, diff --git a/models/forms/changeboardsettings.js b/models/forms/changeboardsettings.js index f92bbd89..ff199184 100644 --- a/models/forms/changeboardsettings.js +++ b/models/forms/changeboardsettings.js @@ -26,7 +26,7 @@ module.exports = async (req, res, next) => { const announcement = req.body.announcement === null ? null : prepareMarkdown(req.body.announcement, false); let markdownAnnouncement = oldSettings.announcement.markdown; if (announcement !== oldSettings.announcement.raw) { - ({ message: markdownAnnouncement } = await messageHandler(announcement, req.params.board, null)) + ({ message: markdownAnnouncement } = await messageHandler(announcement, req.params.board, null, true)) } let moderators = req.body.moderators != null ? req.body.moderators.split(/\r?\n/).filter(n => n && !(n == res.locals.board.owner)).slice(0,10) : []; diff --git a/models/forms/changeglobalsettings.js b/models/forms/changeglobalsettings.js index 5f72e0b2..3b15dfab 100644 --- a/models/forms/changeglobalsettings.js +++ b/models/forms/changeglobalsettings.js @@ -19,7 +19,7 @@ module.exports = async (req, res, next) => { const announcement = req.body.global_announcement === null ? null : prepareMarkdown(req.body.global_announcement, false); let markdownAnnouncement = oldSettings.globalAnnouncement.markdown; if (announcement !== oldSettings.globalAnnouncement.raw) { - ({ message: markdownAnnouncement } = await messageHandler(announcement, null, null)) + ({ message: markdownAnnouncement } = await messageHandler(announcement, null, null, true)) } const newSettings = { diff --git a/models/forms/editnews.js b/models/forms/editnews.js index 721caafa..c34965d3 100644 --- a/models/forms/editnews.js +++ b/models/forms/editnews.js @@ -9,7 +9,7 @@ const { News } = require(__dirname+'/../../db/') module.exports = async (req, res, next) => { const message = prepareMarkdown(req.body.message, false); - const { message: markdownNews } = await messageHandler(message, null, null); + const { message: markdownNews } = await messageHandler(message, null, null, true); const updated = await News.updateOne(req.body.news_id, req.body.title, message, markdownNews).then(r => r.matchedCount); diff --git a/models/forms/editpost.js b/models/forms/editpost.js index adc36f39..8e47f6b1 100644 --- a/models/forms/editpost.js +++ b/models/forms/editpost.js @@ -85,7 +85,7 @@ todo: handle some more situations board.settings, board.owner, res.locals.user ? res.locals.user.username : null); //new message and quotes const nomarkup = prepareMarkdown(req.body.message, false); - const { message, quotes, crossquotes } = await messageHandler(nomarkup, req.body.board, post.thread); + const { message, quotes, crossquotes } = await messageHandler(nomarkup, req.body.board, post.thread, true); //todo: email and subject (probably dont need any transformation since staff bypass limits on forceanon, and it doesnt have to account for sage/etc //intersection/difference of quotes sets for linking and unlinking diff --git a/models/forms/makepost.js b/models/forms/makepost.js index b06a6695..f4024822 100644 --- a/models/forms/makepost.js +++ b/models/forms/makepost.js @@ -412,7 +412,7 @@ ${res.locals.numFiles > 0 ? req.files.file.map(f => f.name+'|'+(f.phash || '')). res.locals.board.settings, res.locals.board.owner, res.locals.user ? res.locals.user.username : null); //get message, quotes and crossquote array const nomarkup = prepareMarkdown(req.body.message, true); - const { message, quotes, crossquotes } = await messageHandler(nomarkup, req.params.board, req.body.thread); + const { message, quotes, crossquotes } = await messageHandler(nomarkup, req.params.board, req.body.thread, permLevel < 4); //build post data for db. for some reason all the property names are lower case :^) const data = {