nodebb/src/posts/parse.js

'use strict';

var nconf = require('nconf');
var url = require('url');
var winston = require('winston');
const sanitize = require('sanitize-html');
const _ = require('lodash');

var meta = require('../meta');
var plugins = require('../plugins');
var translator = require('../translator');
var utils = require('../utils');

let sanitizeConfig = {
	allowedTags: sanitize.defaults.allowedTags.concat([
		// Some safe-to-use tags to add
		'sup', 'ins', 'del', 'img', 'button',
		'video', 'audio', 'iframe', 'embed',
		// 'sup' still necessary until https://github.com/apostrophecms/sanitize-html/pull/422 merged
	]),
	allowedAttributes: {
		...sanitize.defaults.allowedAttributes,
		a: ['href', 'name', 'hreflang', 'media', 'rel', 'target', 'type'],
		img: ['alt', 'height', 'ismap', 'src', 'usemap', 'width', 'srcset'],
		iframe: ['height', 'name', 'src', 'width'],
		video: ['autoplay', 'controls', 'height', 'loop', 'muted', 'poster', 'preload', 'src', 'width'],
		audio: ['autoplay', 'controls', 'loop', 'muted', 'preload', 'src'],
		embed: ['height', 'src', 'type', 'width'],
	},
	globalAttributes: ['accesskey', 'class', 'contenteditable', 'dir',
		'draggable', 'dropzone', 'hidden', 'id', 'lang', 'spellcheck', 'style',
		'tabindex', 'title', 'translate', 'aria-expanded', 'data-*',
	],
	allowedClasses: {
		...sanitize.defaults.allowedClasses,
	},
};

module.exports = function (Posts) {
	Posts.urlRegex = {
		regex: /href="([^"]+)"/g,
		length: 6,
	};

	Posts.imgRegex = {
		regex: /src="([^"]+)"/g,
		length: 5,
	};

	Posts.parsePost = async function (postData) {
		if (!postData) {
			return postData;
		}
		postData.content = String(postData.content || '');
		const cache = require('./cache');
		const pid = String(postData.pid);
		const cachedContent = cache.get(pid);
		if (postData.pid && cachedContent !== undefined) {
			postData.content = cachedContent;
			return postData;
		}

		const data = await plugins.hooks.fire('filter:parse.post', { postData: postData });
		data.postData.content = translator.escape(data.postData.content);
		if (data.postData.pid) {
			cache.set(pid, data.postData.content);
		}
		return data.postData;
	};

	Posts.parseSignature = async function (userData, uid) {
		userData.signature = sanitizeSignature(userData.signature || '');
		return await plugins.hooks.fire('filter:parse.signature', { userData: userData, uid: uid });
	};

	Posts.relativeToAbsolute = function (content, regex) {
		// Turns relative links in content to absolute urls
		if (!content) {
			return content;
		}
		var parsed;
		var current = regex.regex.exec(content);
		var absolute;
		while (current !== null) {
			if (current[1]) {
				try {
					parsed = url.parse(current[1]);
					if (!parsed.protocol) {
						if (current[1].startsWith('/')) {
							// Internal link
							absolute = nconf.get('base_url') + current[1];
						} else {
							// External link
							absolute = '//' + current[1];
						}

						content = content.slice(0, current.index + regex.length) + absolute + content.slice(current.index + regex.length + current[1].length);
					}
				} catch (err) {
					winston.verbose(err.messsage);
				}
			}
			current = regex.regex.exec(content);
		}

		return content;
	};

	Posts.sanitize = function (content) {
		return sanitize(content, {
			allowedTags: sanitizeConfig.allowedTags,
			allowedAttributes: sanitizeConfig.allowedAttributes,
			allowedClasses: sanitizeConfig.allowedClasses,
		});
	};

	Posts.configureSanitize = async () => {
		// Each allowed tags should have some common global attributes...
		sanitizeConfig.allowedTags.forEach((tag) => {
			sanitizeConfig.allowedAttributes[tag] = _.union(sanitizeConfig.allowedAttributes[tag], sanitizeConfig.globalAttributes);
		});

		// Some plugins might need to adjust or whitelist their own tags...
		sanitizeConfig = await plugins.hooks.fire('filter:sanitize.config', sanitizeConfig);
	};

	Posts.registerHooks = () => {
		plugins.hooks.register('core', {
			hook: 'filter:parse.post',
			method: async (data) => {
				data.postData.content = Posts.sanitize(data.postData.content);
				return data;
			},
		});

		plugins.hooks.register('core', {
			hook: 'filter:parse.raw',
			method: async content => Posts.sanitize(content),
		});

		plugins.hooks.register('core', {
			hook: 'filter:parse.aboutme',
			method: async content => Posts.sanitize(content),
		});

		plugins.hooks.register('core', {
			hook: 'filter:parse.signature',
			method: async (data) => {
				data.userData.signature = Posts.sanitize(data.userData.signature);
				return data;
			},
		});
	};

	function sanitizeSignature(signature) {
		signature = translator.escape(signature);
		var tagsToStrip = [];

		if (meta.config['signatures:disableLinks']) {
			tagsToStrip.push('a');
		}

		if (meta.config['signatures:disableImages']) {
			tagsToStrip.push('img');
		}

		return utils.stripHTMLTags(signature, tagsToStrip);
	}
};
closes #3051 updated lru to latest created new files posts/cache.js posts/parse.js posts/edit.js 10 years ago			`'use strict';`

closes #4717 9 years ago			`var nconf = require('nconf');`
			`var url = require('url');`
			`var winston = require('winston');`
feat: html sanitization on all filter:parse.* hooks, closes #7872 6 years ago			`const sanitize = require('sanitize-html');`
			`const _ = require('lodash');`
fixes #4653 9 years ago
fixes #5225 8 years ago			`var meta = require('../meta');`
closes #4152 9 years ago			`var plugins = require('../plugins');`
Make utils and translator easier to require Move utils.walk to file.walk, backwards compatible 8 years ago			`var translator = require('../translator');`
Remove string.js dependency 7 years ago			`var utils = require('../utils');`
closes #3051 updated lru to latest created new files posts/cache.js posts/parse.js posts/edit.js 10 years ago
feat: html sanitization on all filter:parse.* hooks, closes #7872 6 years ago			`let sanitizeConfig = {`
			`allowedTags: sanitize.defaults.allowedTags.concat([`
			`// Some safe-to-use tags to add`
fix(deps): update dependency sanitize-html to v2 4 years ago			`'sup', 'ins', 'del', 'img', 'button',`
feat: html sanitization on all filter:parse.* hooks, closes #7872 6 years ago			`'video', 'audio', 'iframe', 'embed',`
fix(deps): update dependency sanitize-html to v2 4 years ago			`// 'sup' still necessary until https://github.com/apostrophecms/sanitize-html/pull/422 merged`
feat: html sanitization on all filter:parse.* hooks, closes #7872 6 years ago			`]),`
			`allowedAttributes: {`
			`...sanitize.defaults.allowedAttributes,`
fix(deps): update dependency sanitize-html to v2 4 years ago			`a: ['href', 'name', 'hreflang', 'media', 'rel', 'target', 'type'],`
feat: html sanitization on all filter:parse.* hooks, closes #7872 6 years ago			`img: ['alt', 'height', 'ismap', 'src', 'usemap', 'width', 'srcset'],`
			`iframe: ['height', 'name', 'src', 'width'],`
			`video: ['autoplay', 'controls', 'height', 'loop', 'muted', 'poster', 'preload', 'src', 'width'],`
			`audio: ['autoplay', 'controls', 'loop', 'muted', 'preload', 'src'],`
			`embed: ['height', 'src', 'type', 'width'],`
			`},`
			`globalAttributes: ['accesskey', 'class', 'contenteditable', 'dir',`
			`'draggable', 'dropzone', 'hidden', 'id', 'lang', 'spellcheck', 'style',`
			`'tabindex', 'title', 'translate', 'aria-expanded', 'data-*',`
			`],`
Support allowing classes Otherwise `<input class="form-control">` can't work 5 years ago			`allowedClasses: {`
			`...sanitize.defaults.allowedClasses,`
			`},`
feat: html sanitization on all filter:parse.* hooks, closes #7872 6 years ago			`};`

Fix space-before-function-paren linter rule 8 years ago			`module.exports = function (Posts) {`
closes #5522 8 years ago			`Posts.urlRegex = {`
			`regex: /href="([^"]+)"/g,`
			`length: 6,`
			`};`
#5522 test 8 years ago
closes #5522 8 years ago			`Posts.imgRegex = {`
#5522 test 8 years ago			`regex: /src="([^"]+)"/g,`
closes #5522 8 years ago			`length: 5,`
			`};`

feat: #7743, finish post module 6 years ago			`Posts.parsePost = async function (postData) {`
remove more parseInts 6 years ago			`if (!postData) {`
feat: #7743, finish post module 6 years ago			`return postData;`
remove more parseInts 6 years ago			`}`
post parse test 8 years ago			`postData.content = String(postData.content \|\| '');`
feat: #7743, finish post module 6 years ago			`const cache = require('./cache');`
			`const pid = String(postData.pid);`
			`const cachedContent = cache.get(pid);`
			`if (postData.pid && cachedContent !== undefined) {`
			`postData.content = cachedContent;`
			`return postData;`
closes #3051 updated lru to latest created new files posts/cache.js posts/parse.js posts/edit.js 10 years ago			`}`
feat: #8824, cache refactor (#8851) * feat: #8824, cache refactor ability to disable caches ability to download contents of cache refactor cache modules to remove duplicated code * fix: remove duplicate hit/miss tracking check cacheEnabled in getUncachedKeys 4 years ago
refactor: move plugin hook methods to plugin.hooks.* 4 years ago			`const data = await plugins.hooks.fire('filter:parse.post', { postData: postData });`
feat: #7743, finish post module 6 years ago			`data.postData.content = translator.escape(data.postData.content);`
feat: #8824, cache refactor (#8851) * feat: #8824, cache refactor ability to disable caches ability to download contents of cache refactor cache modules to remove duplicated code * fix: remove duplicate hit/miss tracking check cacheEnabled in getUncachedKeys 4 years ago			`if (data.postData.pid) {`
feat: #7743, finish post module 6 years ago			`cache.set(pid, data.postData.content);`
			`}`
			`return data.postData;`
closes #3051 updated lru to latest created new files posts/cache.js posts/parse.js posts/edit.js 10 years ago			`};`

feat: #7743, finish post module 6 years ago			`Posts.parseSignature = async function (userData, uid) {`
fixes #5225 8 years ago			`userData.signature = sanitizeSignature(userData.signature \|\| '');`
refactor: move plugin hook methods to plugin.hooks.* 4 years ago			`return await plugins.hooks.fire('filter:parse.signature', { userData: userData, uid: uid });`
closes #3051 updated lru to latest created new files posts/cache.js posts/parse.js posts/edit.js 10 years ago			`};`
fixes #4653 9 years ago
closes #5522 8 years ago			`Posts.relativeToAbsolute = function (content, regex) {`
feat: replace relative urls to absolute before sending email notifs https://github.com/NodeBB/NodeBB/pull/8366/files 5 years ago			`// Turns relative links in content to absolute urls`
			`if (!content) {`
			`return content;`
			`}`
ESlint one-var, fix comma-dangle 8 years ago			`var parsed;`
closes #5522 8 years ago			`var current = regex.regex.exec(content);`
ESlint one-var, fix comma-dangle 8 years ago			`var absolute;`
ESlint no-cond-assign, no-void, valid-jsdoc 8 years ago			`while (current !== null) {`
fixes #4653 9 years ago			`if (current[1]) {`
closes #4717 9 years ago			`try {`
			`parsed = url.parse(current[1]);`
			`if (!parsed.protocol) {`
			`if (current[1].startsWith('/')) {`
			`// Internal link`
closes #5522 8 years ago			`absolute = nconf.get('base_url') + current[1];`
closes #4717 9 years ago			`} else {`
			`// External link`
			`absolute = '//' + current[1];`
			`}`

closes #5522 8 years ago			`content = content.slice(0, current.index + regex.length) + absolute + content.slice(current.index + regex.length + current[1].length);`
fixes #4653 9 years ago			`}`
ESlint keyword-spacing, no-multi-spaces 8 years ago			`} catch (err) {`
call posts.relativeToAbsolute when needed 9 years ago			`winston.verbose(err.messsage);`
			`}`
fixes #4653 9 years ago			`}`
closes #5522 8 years ago			`current = regex.regex.exec(content);`
fixes #4653 9 years ago			`}`

			`return content;`
			`};`
fixes #5225 8 years ago
feat: html sanitization on all filter:parse.* hooks, closes #7872 6 years ago			`Posts.sanitize = function (content) {`
			`return sanitize(content, {`
Support allowing classes Otherwise `<input class="form-control">` can't work 5 years ago			`allowedTags: sanitizeConfig.allowedTags,`
			`allowedAttributes: sanitizeConfig.allowedAttributes,`
			`allowedClasses: sanitizeConfig.allowedClasses,`
feat: html sanitization on all filter:parse.* hooks, closes #7872 6 years ago			`});`
			`};`

fix: inability for plugins to actually alter parser sanitization config /cc @pitaj 6 years ago			`Posts.configureSanitize = async () => {`
			`// Each allowed tags should have some common global attributes...`
			`sanitizeConfig.allowedTags.forEach((tag) => {`
			`sanitizeConfig.allowedAttributes[tag] = _.union(sanitizeConfig.allowedAttributes[tag], sanitizeConfig.globalAttributes);`
			`});`

fix: added comment back 6 years ago			`// Some plugins might need to adjust or whitelist their own tags...`
refactor: move plugin hook methods to plugin.hooks.* 4 years ago			`sanitizeConfig = await plugins.hooks.fire('filter:sanitize.config', sanitizeConfig);`
fix: inability for plugins to actually alter parser sanitization config /cc @pitaj 6 years ago			`};`

chore: some optimizations for codeclimate 4 years ago			`Posts.registerHooks = () => {`
refactor: move plugin hook methods to plugin.hooks.* 4 years ago			`plugins.hooks.register('core', {`
chore: some optimizations for codeclimate 4 years ago			`hook: 'filter:parse.post',`
			`method: async (data) => {`
			`data.postData.content = Posts.sanitize(data.postData.content);`
			`return data;`
			`},`
			`});`

refactor: move plugin hook methods to plugin.hooks.* 4 years ago			`plugins.hooks.register('core', {`
chore: some optimizations for codeclimate 4 years ago			`hook: 'filter:parse.raw',`
			`method: async content => Posts.sanitize(content),`
			`});`

refactor: move plugin hook methods to plugin.hooks.* 4 years ago			`plugins.hooks.register('core', {`
chore: some optimizations for codeclimate 4 years ago			`hook: 'filter:parse.aboutme',`
			`method: async content => Posts.sanitize(content),`
			`});`

refactor: move plugin hook methods to plugin.hooks.* 4 years ago			`plugins.hooks.register('core', {`
chore: some optimizations for codeclimate 4 years ago			`hook: 'filter:parse.signature',`
			`method: async (data) => {`
			`data.userData.signature = Posts.sanitize(data.userData.signature);`
			`return data;`
			`},`
			`});`
			`};`

fixes #5225 8 years ago			`function sanitizeSignature(signature) {`
Fix #5592 (#5593) * Fix #5592 Escape translation tokens in topic titles, descriptions, profile about, and post contents * Fix tests 8 years ago			`signature = translator.escape(signature);`
ESlint one-var, fix comma-dangle 8 years ago			`var tagsToStrip = [];`
fixes #5225 8 years ago
Parse int (#6853) * Store config fields as JSON in the db Fewer parseInts * Remove unnecessary parseInts * remove some dupe code add tests * remove console.log * remove more parseInts * WIP: read meta.configs defaults from defaults.json remove more parseInts * more work * add log for failing test * update admin pwd * fix tests, dont require posts/cache before configs are initialized * handle saves * Test boolean conditions * remove more parseInts * Fix boolean values * remove lots more parseInts * removed json parsing * renamed var to number * categories dont have timestamp 6 years ago			`if (meta.config['signatures:disableLinks']) {`
fixes #5225 8 years ago			`tagsToStrip.push('a');`
			`}`

Parse int (#6853) * Store config fields as JSON in the db Fewer parseInts * Remove unnecessary parseInts * remove some dupe code add tests * remove console.log * remove more parseInts * WIP: read meta.configs defaults from defaults.json remove more parseInts * more work * add log for failing test * update admin pwd * fix tests, dont require posts/cache before configs are initialized * handle saves * Test boolean conditions * remove more parseInts * Fix boolean values * remove lots more parseInts * removed json parsing * renamed var to number * categories dont have timestamp 6 years ago			`if (meta.config['signatures:disableImages']) {`
fixes #5225 8 years ago			`tagsToStrip.push('img');`
			`}`

Remove string.js dependency 7 years ago			`return utils.stripHTMLTags(signature, tagsToStrip);`
fixes #5225 8 years ago			`}`
fixed LRU cache problem 9 years ago			`};`