owncast/models/chatMessage.go

package models

import (
	"bytes"
	"strings"
	"time"

	"github.com/microcosm-cc/bluemonday"
	"github.com/yuin/goldmark"
	"github.com/yuin/goldmark/extension"
	"github.com/yuin/goldmark/renderer/html"
	"mvdan.cc/xurls"
)

//ChatMessage represents a single chat message
type ChatMessage struct {
	ClientID string `json:"-"`

	Author      string    `json:"author"`
	Body        string    `json:"body"`
	ID          string    `json:"id"`
	MessageType string    `json:"type"`
	Visible     bool      `json:"visible"`
	Timestamp   time.Time `json:"timestamp"`
}

//Valid checks to ensure the message is valid
func (m ChatMessage) Valid() bool {
	return m.Author != "" && m.Body != "" && m.ID != ""
}

// RenderAndSanitizeMessageBody will turn markdown into HTML, sanitize raw user-supplied HTML and standardize
// the message into something safe and renderable for clients.
func (m *ChatMessage) RenderAndSanitizeMessageBody() {
	raw := m.Body

	// Set the new, sanitized and rendered message body
	m.Body = RenderAndSanitize(raw)
}

// RenderAndSanitize will turn markdown into HTML, sanitize raw user-supplied HTML and standardize
// the message into something safe and renderable for clients.
func RenderAndSanitize(raw string) string {
	rendered := renderMarkdown(raw)
	safe := sanitize(rendered)

	// Set the new, sanitized and rendered message body
	return strings.TrimSpace(safe)
}

func renderMarkdown(raw string) string {
	markdown := goldmark.New(
		goldmark.WithRendererOptions(
			html.WithUnsafe(),
		),
		goldmark.WithExtensions(
			extension.NewLinkify(
				extension.WithLinkifyAllowedProtocols([][]byte{
					[]byte("http:"),
					[]byte("https:"),
				}),
				extension.WithLinkifyURLRegexp(
					xurls.Strict,
				),
			),
		),
	)

	trimmed := strings.TrimSpace(raw)
	var buf bytes.Buffer
	if err := markdown.Convert([]byte(trimmed), &buf); err != nil {
		panic(err)
	}

	return buf.String()
}

func sanitize(raw string) string {
	p := bluemonday.StrictPolicy()

	// Require URLs to be parseable by net/url.Parse
	p.AllowStandardURLs()

	// Allow links
	p.AllowAttrs("href").OnElements("a")

	// Force all URLs to have "noreferrer" in their rel attribute.
	p.RequireNoReferrerOnLinks(true)

	// Links will get target="_blank" added to them.
	p.AddTargetBlankToFullyQualifiedLinks(true)

	// Allow paragraphs
	p.AllowElements("br")
	p.AllowElements("p")

	// Allow img tags
	p.AllowElements("img")
	p.AllowAttrs("src").OnElements("img")
	p.AllowAttrs("alt").OnElements("img")
	p.AllowAttrs("title").OnElements("img")

	// Custom emoji have a class already specified.
	// We should only allow classes on emoji, not *all* imgs.
	// But TODO.
	p.AllowAttrs("class").OnElements("img")

	// Allow bold
	p.AllowElements("strong")

	// Allow emphasis
	p.AllowElements("em")

	return p.Sanitize(raw)
}
Project restructure (#18) * First pass at restructuring the project; untested but it does compile * Restructure builds and runs :tada: * Add the dist folder to the gitignore * Update core/playlist/monitor.go * golint and reorganize the monitor.go file Co-authored-by: Gabe Kangas <gabek@real-ity.com> 2020-06-23 03:11:56 +02:00			`package models`
WIP 2020-05-24 02:57:49 +02:00
Render and sanitize chat messages server-side. (#237) * Render and sanitize chat messages server-side. Closes #235 * Render content.md server-side and return it in the client config * Remove showdown from web project * Update api spec * Move example user content file 2020-10-14 01:45:52 +02:00			`import (`
			`"bytes"`
			`"strings"`
			`"time"`

			`"github.com/microcosm-cc/bluemonday"`
			`"github.com/yuin/goldmark"`
			`"github.com/yuin/goldmark/extension"`
			`"github.com/yuin/goldmark/renderer/html"`
			`"mvdan.cc/xurls"`
			`)`
Add timestamp to messages. For #26 2020-07-12 04:08:47 +02:00
Project restructure (#18) * First pass at restructuring the project; untested but it does compile * Restructure builds and runs :tada: * Add the dist folder to the gitignore * Update core/playlist/monitor.go * golint and reorganize the monitor.go file Co-authored-by: Gabe Kangas <gabek@real-ity.com> 2020-06-23 03:11:56 +02:00			`//ChatMessage represents a single chat message`
Support keepalive PING messages on the socket 2020-06-15 01:44:38 +02:00			`type ChatMessage struct {`
Decouple chat from core and add chat rest api (#25) * Decouple the chat package from the core * Add rest api endpoints for the chat aspect 2020-06-23 22:11:01 +02:00			ClientID string `json:"-"`

Add timestamp to messages. For #26 2020-07-12 04:08:47 +02:00			Author string `json:"author"`
			Body string `json:"body"`
			ID string `json:"id"`
			MessageType string `json:"type"`
Basic chat persistence for #26 2020-07-12 23:53:33 +02:00			Visible bool `json:"visible"`
Add timestamp to messages. For #26 2020-07-12 04:08:47 +02:00			Timestamp time.Time `json:"timestamp"`
WIP 2020-05-24 02:57:49 +02:00			`}`

Decouple chat from core and add chat rest api (#25) * Decouple the chat package from the core * Add rest api endpoints for the chat aspect 2020-06-23 22:11:01 +02:00			`//Valid checks to ensure the message is valid`
Render and sanitize chat messages server-side. (#237) * Render and sanitize chat messages server-side. Closes #235 * Render content.md server-side and return it in the client config * Remove showdown from web project * Update api spec * Move example user content file 2020-10-14 01:45:52 +02:00			`func (m ChatMessage) Valid() bool {`
			`return m.Author != "" && m.Body != "" && m.ID != ""`
			`}`

			`// RenderAndSanitizeMessageBody will turn markdown into HTML, sanitize raw user-supplied HTML and standardize`
			`// the message into something safe and renderable for clients.`
			`func (m *ChatMessage) RenderAndSanitizeMessageBody() {`
			`raw := m.Body`

			`// Set the new, sanitized and rendered message body`
			`m.Body = RenderAndSanitize(raw)`
			`}`

			`// RenderAndSanitize will turn markdown into HTML, sanitize raw user-supplied HTML and standardize`
			`// the message into something safe and renderable for clients.`
			`func RenderAndSanitize(raw string) string {`
			`rendered := renderMarkdown(raw)`
			`safe := sanitize(rendered)`

			`// Set the new, sanitized and rendered message body`
			`return strings.TrimSpace(safe)`
			`}`

			`func renderMarkdown(raw string) string {`
			`markdown := goldmark.New(`
			`goldmark.WithRendererOptions(`
			`html.WithUnsafe(),`
			`),`
			`goldmark.WithExtensions(`
			`extension.NewLinkify(`
			`extension.WithLinkifyAllowedProtocols([][]byte{`
			`[]byte("http:"),`
			`[]byte("https:"),`
			`}),`
			`extension.WithLinkifyURLRegexp(`
			`xurls.Strict,`
			`),`
			`),`
			`),`
			`)`

			`trimmed := strings.TrimSpace(raw)`
			`var buf bytes.Buffer`
			`if err := markdown.Convert([]byte(trimmed), &buf); err != nil {`
			`panic(err)`
			`}`

			`return buf.String()`
			`}`

			`func sanitize(raw string) string {`
			`p := bluemonday.StrictPolicy()`

			`// Require URLs to be parseable by net/url.Parse`
			`p.AllowStandardURLs()`

			`// Allow links`
			`p.AllowAttrs("href").OnElements("a")`

			`// Force all URLs to have "noreferrer" in their rel attribute.`
			`p.RequireNoReferrerOnLinks(true)`

			`// Links will get target="_blank" added to them.`
			`p.AddTargetBlankToFullyQualifiedLinks(true)`

			`// Allow paragraphs`
			`p.AllowElements("br")`
			`p.AllowElements("p")`

			`// Allow img tags`
			`p.AllowElements("img")`
			`p.AllowAttrs("src").OnElements("img")`
			`p.AllowAttrs("alt").OnElements("img")`
			`p.AllowAttrs("title").OnElements("img")`

			`// Custom emoji have a class already specified.`
			`// We should only allow classes on emoji, not all imgs.`
			`// But TODO.`
			`p.AllowAttrs("class").OnElements("img")`

			`// Allow bold`
			`p.AllowElements("strong")`

			`// Allow emphasis`
			`p.AllowElements("em")`

			`return p.Sanitize(raw)`
Decouple chat from core and add chat rest api (#25) * Decouple the chat package from the core * Add rest api endpoints for the chat aspect 2020-06-23 22:11:01 +02:00			`}`