const {ejs, ElemJS} = require("../basic") const {HighlightedCode} = require("./components") const DOMPurify = require("dompurify") const {resolveMxc} = require("../functions") const {MatrixEvent} = require("./event") const purifier = DOMPurify() purifier.addHook("uponSanitizeAttribute", (node, hookevent, config) => { // If purifier already rejected an attribute there is no point in checking it if (hookevent.keepAttr === false) return; const allowedElementAttributes = { "FONT": ["data-mx-bg-color", "data-mx-color", "color"], "SPAN": ["data-mx-bg-color", "data-mx-color"], "A": ["name", "target", "href"], "IMG": ["width", "height", "alt", "title", "src", "data-mx-emoticon"], "OL": ["start"], "CODE": ["class"], } const allowedAttributes = allowedElementAttributes[node.tagName] || [] hookevent.keepAttr = allowedAttributes.indexOf(hookevent.attrName) > -1 }) purifier.addHook("uponSanitizeElement", (node, hookevent, config) => { // Remove bad classes from our code element if (node.tagName === "CODE") { node.classList.forEach(c => { if (!c.startsWith("language-")) { node.classList.remove(c) } }) } if (node.tagName === "A") { node.setAttribute("rel", "noopener") // prevent the opening page from accessing carbon node.setAttribute("target", "_blank") // open in a new tab instead of replacing carbon } return node }) function cleanHTML(html) { const config = { ALLOWED_TAGS: [ "font", "del", "h1", "h2", "h3", "h4", "h5", "h6", "blockquote", "p", "a", "ul", "ol", "sup", "sub", "li", "b", "i", "u", "strong", "em", "strike", "code", "hr", "br", "div", "table", "thead", "tbody", "tr", "th", "td", "caption", "pre", "span", "img", // matrix tags "mx-reply" ], // In case we mess up in the uponSanitizeAttribute hook ALLOWED_ATTR: [ "color", "name", "target", "href", "width", "height", "alt", "title", "src", "start", "class", "noreferrer", "noopener", // matrix attrs "data-mx-emoticon", "data-mx-bg-color", "data-mx-color" ], // Return a DOM fragment instead of a string, avoids potential future mutation XSS // should also be faster than the browser parsing HTML twice // https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/ RETURN_DOM_FRAGMENT: true, RETURN_DOM_IMPORT: true } return purifier.sanitize(html, config) } // Here we put all the processing of the messages that isn't as likely to potentially lead to security issues function postProcessElements(rootNode) { const element = rootNode.element element.querySelectorAll("pre").forEach(n => { new HighlightedCode(n) }) element.querySelectorAll("img").forEach(n => { let src = n.getAttribute("src") if (src) src = resolveMxc(src) n.setAttribute("src", src) }) element.querySelectorAll("font, span").forEach(n => { const color = n.getAttribute("data-mx-color") || n.getAttribute("color") const bgColor = n.getAttribute("data-mx-bg-color") if (color) n.style.color = color if (bgColor) n.style.backgroundColor = bgColor }) } class HTMLMessage extends MatrixEvent { render() { this.clearChildren() let html = this.data.content.formatted_body const content = ejs("div") const fragment = cleanHTML(html) content.element.appendChild(fragment) postProcessElements(content) this.child(content) super.render() } static canRender(event) { const content = event.content return ( event.type === "m.room.message" && (content.msgtype === "m.text" || content.msgtype === "m.notice") && content.format === "org.matrix.custom.html" && content.formatted_body ) } canGroup() { return true } } class TextMessage extends MatrixEvent { render() { this.clearChildren() this.text(this.data.content.body) super.render() } static canRender(event) { return event.type === "m.room.message" } canGroup() { return true } } module.exports = [HTMLMessage, TextMessage]