fix: do not blindly escape a notification's bodyLong

For 7+ years we were escaping this value, but it is in many cases already sanitized (as it may be a post content). For those cases when it is not, I now run it through parse.raw. Instead of escaping, it now strips p, img, and a tags.
4 years ago · 783786cf8c
parent 0092df2c02
commit 783786cf8c
4 changed files with 5 additions and 5 deletions
--- a/src/flags.js
+++ b/src/flags.js
@ -720,7 +720,7 @@ Flags.notify = async function (flagObj, uid) {
 		notifObj = await notifications.create({
 			type: 'new-post-flag',
 			bodyShort: `[[notifications:user_flagged_post_in, ${flagObj.reports[flagObj.reports.length - 1].reporter.username}, ${titleEscaped}]]`,
-			bodyLong: flagObj.description,
+			bodyLong: await plugins.hooks.fire('filter:parse.raw', flagObj.description),
 			pid: flagObj.targetId,
 			path: `/flags/${flagObj.flagId}`,
 			nid: `flag:post:${flagObj.targetId}`,
@ -733,7 +733,7 @@ Flags.notify = async function (flagObj, uid) {
 		notifObj = await notifications.create({
 			type: 'new-user-flag',
 			bodyShort: `[[notifications:user_flagged_user, ${flagObj.reports[flagObj.reports.length - 1].reporter.username}, ${flagObj.target.username}]]`,
-			bodyLong: flagObj.description,
+			bodyLong: await plugins.hooks.fire('filter:parse.raw', flagObj.description),
 			path: `/flags/${flagObj.flagId}`,
 			nid: `flag:user:${flagObj.targetId}`,
 			from: uid,
--- a/src/messaging/notifications.js
+++ b/src/messaging/notifications.js
@ -62,7 +62,7 @@ module.exports = function (Messaging) {
 			type: isGroupChat ? 'new-group-chat' : 'new-chat',
 			subject: `[[email:notif.chat.subject, ${messageObj.fromUser.username}]]`,
 			bodyShort: `[[notifications:new_message_from, ${messageObj.fromUser.username}]]`,
-			bodyLong: messageObj.content,
+			bodyLong: await plugins.hooks.fire('filter:parse.raw', messageObj.content),
 			nid: `chat_${fromuid}_${roomId}`,
 			from: fromuid,
 			path: `/chats/${messageObj.roomId}`,
--- a/src/notifications.js
+++ b/src/notifications.js
@ -75,7 +75,7 @@ Notifications.getMultiple = async function (nids) {
 			notification.datetimeISO = utils.toISOString(notification.datetime);

 			if (notification.bodyLong) {
-				notification.bodyLong = utils.escapeHTML(notification.bodyLong);
+				notification.bodyLong = utils.stripHTMLTags(notification.bodyLong, ['img', 'p', 'a']);
 			}

 			notification.user = usersData[index];
--- a/src/posts/queue.js
+++ b/src/posts/queue.js
@ -95,7 +95,7 @@ module.exports = function (Posts) {
 			nid: `post-queue-${id}`,
 			mergeId: 'post-queue',
 			bodyShort: '[[notifications:post_awaiting_review]]',
-			bodyLong: data.content,
+			bodyLong: await plugins.hooks.fire('filter:parse.raw', data.content),
 			path: '/post-queue',
 		});
 		await notifications.push(notifObj, uids);