From 9656304e24a9fe0a3df13211c87e9cd91713d8ca Mon Sep 17 00:00:00 2001 From: Nicolas Werner Date: Wed, 20 Mar 2024 21:53:20 +0100 Subject: Remove attributes on del tags There is no use case for those afaik and they do break our replacement in the frontend. Let's instead strip them out in the sanitization step, since there are no valid attributes defined for the del tag currenlty. In theory we could also strip out all attributes here, but that seems excessive for now. Fixes https://github.com/Nheko-Reborn/nheko/issues/1693 --- src/Utils.cpp | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'src/Utils.cpp') diff --git a/src/Utils.cpp b/src/Utils.cpp index ff5dabac..498bad9a 100644 --- a/src/Utils.cpp +++ b/src/Utils.cpp @@ -582,9 +582,10 @@ utils::escapeBlacklistedHtml(const QString &rawStr) const auto tagNameEnd = std::find_first_of(tagNameStart, end, tagNameEnds.begin(), tagNameEnds.end()); - if (allowedTags.find( - QByteArray(tagNameStart, static_cast(tagNameEnd - tagNameStart)).toLower()) == - allowedTags.end()) { + const auto tagName = + QByteArray(tagNameStart, static_cast(tagNameEnd - tagNameStart)).toLower(); + + if (allowedTags.find(tagName) == allowedTags.end()) { // not allowed -> escape buffer.append("<"); pos = tagNameStart; @@ -620,8 +621,9 @@ utils::escapeBlacklistedHtml(const QString &rawStr) auto attrName = QByteArray(attrStart, static_cast(attrEnd - attrStart)).toLower(); - auto sanitizeValue = [&attrName](QByteArray val) { - if (attrName == QByteArrayLiteral("src") && !val.startsWith("mxc://")) + auto sanitizeValue = [&attrName, tagName](QByteArray val) { + if (tagName == QByteArrayLiteral("del") || + (attrName == QByteArrayLiteral("src") && !val.startsWith("mxc://"))) return QByteArray(); else return val; @@ -697,8 +699,12 @@ utils::escapeBlacklistedHtml(const QString &rawStr) } } - buffer.append(' '); - buffer.append(attrName); + // We don't really want tags on del tags and they make replacement in the + // frontend more expansive + if (tagName != QByteArrayLiteral("del")) { + buffer.append(' '); + buffer.append(attrName); + } } } } -- cgit 1.4.1