src/posts/parse.js

'use strict';

var nconf = require('nconf');
var url = require('url');
var winston = require('winston');
const sanitize = require('sanitize-html');
const _ = require('lodash');

var meta = require('../meta');
var plugins = require('../plugins');
var translator = require('../translator');
var utils = require('../utils');

let sanitizeConfig = {
	allowedTags: sanitize.defaults.allowedTags.concat([
		// Some safe-to-use tags to add
		'sup', 'ins', 'del', 'img', 'button',
		'video', 'audio', 'iframe', 'embed',
		// 'sup' still necessary until https://github.com/apostrophecms/sanitize-html/pull/422 merged
	]),
	allowedAttributes: {
		...sanitize.defaults.allowedAttributes,
		a: ['href', 'name', 'hreflang', 'media', 'rel', 'target', 'type'],
		img: ['alt', 'height', 'ismap', 'src', 'usemap', 'width', 'srcset'],
		iframe: ['height', 'name', 'src', 'width'],
		video: ['autoplay', 'controls', 'height', 'loop', 'muted', 'poster', 'preload', 'src', 'width'],
		audio: ['autoplay', 'controls', 'loop', 'muted', 'preload', 'src'],
		embed: ['height', 'src', 'type', 'width'],
	},
	globalAttributes: ['accesskey', 'class', 'contenteditable', 'dir',
		'draggable', 'dropzone', 'hidden', 'id', 'lang', 'spellcheck', 'style',
		'tabindex', 'title', 'translate', 'aria-expanded', 'data-*',
	],
	allowedClasses: {
		...sanitize.defaults.allowedClasses,
	},
};

module.exports = function (Posts) {
	Posts.urlRegex = {
		regex: /href="([^"]+)"/g,
		length: 6,
	};

	Posts.imgRegex = {
		regex: /src="([^"]+)"/g,
		length: 5,
	};

	Posts.parsePost = async function (postData) {
		if (!postData) {
			return postData;
		}
		postData.content = String(postData.content || '');
		const cache = require('./cache');
		const pid = String(postData.pid);
		const cachedContent = cache.get(pid);
		if (postData.pid && cachedContent !== undefined) {
			postData.content = cachedContent;
			cache.hits += 1;
			return postData;
		}
		cache.misses += 1;
		const data = await plugins.fireHook('filter:parse.post', { postData: postData });
		data.postData.content = translator.escape(data.postData.content);
		if (global.env === 'production' && data.postData.pid) {
			cache.set(pid, data.postData.content);
		}
		return data.postData;
	};

	Posts.parseSignature = async function (userData, uid) {
		userData.signature = sanitizeSignature(userData.signature || '');
		return await plugins.fireHook('filter:parse.signature', { userData: userData, uid: uid });
	};

	Posts.relativeToAbsolute = function (content, regex) {
		// Turns relative links in content to absolute urls
		if (!content) {
			return content;
		}
		var parsed;
		var current = regex.regex.exec(content);
		var absolute;
		while (current !== null) {
			if (current[1]) {
				try {
					parsed = url.parse(current[1]);
					if (!parsed.protocol) {
						if (current[1].startsWith('/')) {
							// Internal link
							absolute = nconf.get('base_url') + current[1];
						} else {
							// External link
							absolute = '//' + current[1];
						}

						content = content.slice(0, current.index + regex.length) + absolute + content.slice(current.index + regex.length + current[1].length);
					}
				} catch (err) {
					winston.verbose(err.messsage);
				}
			}
			current = regex.regex.exec(content);
		}

		return content;
	};

	Posts.sanitize = function (content) {
		return sanitize(content, {
			allowedTags: sanitizeConfig.allowedTags,
			allowedAttributes: sanitizeConfig.allowedAttributes,
			allowedClasses: sanitizeConfig.allowedClasses,
		});
	};

	Posts.configureSanitize = async () => {
		// Each allowed tags should have some common global attributes...
		sanitizeConfig.allowedTags.forEach((tag) => {
			sanitizeConfig.allowedAttributes[tag] = _.union(sanitizeConfig.allowedAttributes[tag], sanitizeConfig.globalAttributes);
		});

		// Some plugins might need to adjust or whitelist their own tags...
		sanitizeConfig = await plugins.fireHook('filter:sanitize.config', sanitizeConfig);
	};

	function sanitizeSignature(signature) {
		signature = translator.escape(signature);
		var tagsToStrip = [];

		if (meta.config['signatures:disableLinks']) {
			tagsToStrip.push('a');
		}

		if (meta.config['signatures:disableImages']) {
			tagsToStrip.push('img');
		}

		return utils.stripHTMLTags(signature, tagsToStrip);
	}
};
closes #3051 updated lru to latest created new files posts/cache.js posts/parse.js posts/edit.js 2015-04-20 17:56:43 -04:00			`'use strict';`

closes #4717 2016-06-03 11:20:53 +03:00			`var nconf = require('nconf');`
			`var url = require('url');`
			`var winston = require('winston');`
feat: html sanitization on all filter:parse.* hooks, closes #7872 2019-08-30 14:40:11 -04:00			`const sanitize = require('sanitize-html');`
			`const _ = require('lodash');`
fixes #4653 2016-05-16 08:22:23 -04:00
fixes #5225 2016-11-21 11:07:20 -05:00			`var meta = require('../meta');`
closes #4152 2016-02-23 13:08:38 +02:00			`var plugins = require('../plugins');`
Make utils and translator easier to require Move utils.walk to file.walk, backwards compatible 2017-04-08 20:22:21 -06:00			`var translator = require('../translator');`
Remove string.js dependency 2017-10-13 21:02:41 -06:00			`var utils = require('../utils');`
closes #3051 updated lru to latest created new files posts/cache.js posts/parse.js posts/edit.js 2015-04-20 17:56:43 -04:00
feat: html sanitization on all filter:parse.* hooks, closes #7872 2019-08-30 14:40:11 -04:00			`let sanitizeConfig = {`
			`allowedTags: sanitize.defaults.allowedTags.concat([`
			`// Some safe-to-use tags to add`
fix(deps): update dependency sanitize-html to v2 2020-09-29 13:34:24 -04:00			`'sup', 'ins', 'del', 'img', 'button',`
feat: html sanitization on all filter:parse.* hooks, closes #7872 2019-08-30 14:40:11 -04:00			`'video', 'audio', 'iframe', 'embed',`
fix(deps): update dependency sanitize-html to v2 2020-09-29 13:34:24 -04:00			`// 'sup' still necessary until https://github.com/apostrophecms/sanitize-html/pull/422 merged`
feat: html sanitization on all filter:parse.* hooks, closes #7872 2019-08-30 14:40:11 -04:00			`]),`
			`allowedAttributes: {`
			`...sanitize.defaults.allowedAttributes,`
fix(deps): update dependency sanitize-html to v2 2020-09-29 13:34:24 -04:00			`a: ['href', 'name', 'hreflang', 'media', 'rel', 'target', 'type'],`
feat: html sanitization on all filter:parse.* hooks, closes #7872 2019-08-30 14:40:11 -04:00			`img: ['alt', 'height', 'ismap', 'src', 'usemap', 'width', 'srcset'],`
			`iframe: ['height', 'name', 'src', 'width'],`
			`video: ['autoplay', 'controls', 'height', 'loop', 'muted', 'poster', 'preload', 'src', 'width'],`
			`audio: ['autoplay', 'controls', 'loop', 'muted', 'preload', 'src'],`
			`embed: ['height', 'src', 'type', 'width'],`
			`},`
			`globalAttributes: ['accesskey', 'class', 'contenteditable', 'dir',`
			`'draggable', 'dropzone', 'hidden', 'id', 'lang', 'spellcheck', 'style',`
			`'tabindex', 'title', 'translate', 'aria-expanded', 'data-*',`
			`],`
Support allowing classes Otherwise `<input class="form-control">` can't work 2019-12-07 12:37:10 -07:00			`allowedClasses: {`
			`...sanitize.defaults.allowedClasses,`
			`},`
feat: html sanitization on all filter:parse.* hooks, closes #7872 2019-08-30 14:40:11 -04:00			`};`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`module.exports = function (Posts) {`
closes #5522 2017-05-28 01:10:16 -04:00			`Posts.urlRegex = {`
			`regex: /href="([^"]+)"/g,`
			`length: 6,`
			`};`
#5522 test 2017-05-28 01:26:56 -04:00
closes #5522 2017-05-28 01:10:16 -04:00			`Posts.imgRegex = {`
#5522 test 2017-05-28 01:26:56 -04:00			`regex: /src="([^"]+)"/g,`
closes #5522 2017-05-28 01:10:16 -04:00			`length: 5,`
			`};`

feat: #7743, finish post module 2019-07-17 19:05:55 -04:00			`Posts.parsePost = async function (postData) {`
remove more parseInts 2018-10-21 19:33:46 -04:00			`if (!postData) {`
feat: #7743, finish post module 2019-07-17 19:05:55 -04:00			`return postData;`
remove more parseInts 2018-10-21 19:33:46 -04:00			`}`
post parse test 2017-03-09 19:52:48 +03:00			`postData.content = String(postData.content \|\| '');`
feat: #7743, finish post module 2019-07-17 19:05:55 -04:00			`const cache = require('./cache');`
			`const pid = String(postData.pid);`
			`const cachedContent = cache.get(pid);`
			`if (postData.pid && cachedContent !== undefined) {`
			`postData.content = cachedContent;`
add cache hits/misses to posts cache 2018-10-15 15:03:06 -04:00			`cache.hits += 1;`
feat: #7743, finish post module 2019-07-17 19:05:55 -04:00			`return postData;`
closes #3051 updated lru to latest created new files posts/cache.js posts/parse.js posts/edit.js 2015-04-20 17:56:43 -04:00			`}`
add cache hits/misses to posts cache 2018-10-15 15:03:06 -04:00			`cache.misses += 1;`
feat: #7743, finish post module 2019-07-17 19:05:55 -04:00			`const data = await plugins.fireHook('filter:parse.post', { postData: postData });`
			`data.postData.content = translator.escape(data.postData.content);`
			`if (global.env === 'production' && data.postData.pid) {`
			`cache.set(pid, data.postData.content);`
			`}`
			`return data.postData;`
closes #3051 updated lru to latest created new files posts/cache.js posts/parse.js posts/edit.js 2015-04-20 17:56:43 -04:00			`};`

feat: #7743, finish post module 2019-07-17 19:05:55 -04:00			`Posts.parseSignature = async function (userData, uid) {`
fixes #5225 2016-11-21 11:07:20 -05:00			`userData.signature = sanitizeSignature(userData.signature \|\| '');`
feat: #7743, finish post module 2019-07-17 19:05:55 -04:00			`return await plugins.fireHook('filter:parse.signature', { userData: userData, uid: uid });`
closes #3051 updated lru to latest created new files posts/cache.js posts/parse.js posts/edit.js 2015-04-20 17:56:43 -04:00			`};`
fixes #4653 2016-05-16 08:22:23 -04:00
closes #5522 2017-05-28 01:10:16 -04:00			`Posts.relativeToAbsolute = function (content, regex) {`
feat: replace relative urls to absolute before sending email notifs https://github.com/NodeBB/NodeBB/pull/8366/files 2020-09-03 12:02:07 -04:00			`// Turns relative links in content to absolute urls`
			`if (!content) {`
			`return content;`
			`}`
ESlint one-var, fix comma-dangle 2017-02-17 20:20:42 -07:00			`var parsed;`
closes #5522 2017-05-28 01:10:16 -04:00			`var current = regex.regex.exec(content);`
ESlint one-var, fix comma-dangle 2017-02-17 20:20:42 -07:00			`var absolute;`
ESlint no-cond-assign, no-void, valid-jsdoc 2017-02-18 13:51:26 -07:00			`while (current !== null) {`
fixes #4653 2016-05-16 08:22:23 -04:00			`if (current[1]) {`
closes #4717 2016-06-03 11:20:53 +03:00			`try {`
			`parsed = url.parse(current[1]);`
			`if (!parsed.protocol) {`
			`if (current[1].startsWith('/')) {`
			`// Internal link`
closes #5522 2017-05-28 01:10:16 -04:00			`absolute = nconf.get('base_url') + current[1];`
closes #4717 2016-06-03 11:20:53 +03:00			`} else {`
			`// External link`
			`absolute = '//' + current[1];`
			`}`

closes #5522 2017-05-28 01:10:16 -04:00			`content = content.slice(0, current.index + regex.length) + absolute + content.slice(current.index + regex.length + current[1].length);`
fixes #4653 2016-05-16 08:22:23 -04:00			`}`
ESlint keyword-spacing, no-multi-spaces 2017-02-18 01:52:56 -07:00			`} catch (err) {`
call posts.relativeToAbsolute when needed 2016-06-29 21:09:05 +03:00			`winston.verbose(err.messsage);`
			`}`
fixes #4653 2016-05-16 08:22:23 -04:00			`}`
closes #5522 2017-05-28 01:10:16 -04:00			`current = regex.regex.exec(content);`
fixes #4653 2016-05-16 08:22:23 -04:00			`}`

			`return content;`
			`};`
fixes #5225 2016-11-21 11:07:20 -05:00
feat: html sanitization on all filter:parse.* hooks, closes #7872 2019-08-30 14:40:11 -04:00			`Posts.sanitize = function (content) {`
			`return sanitize(content, {`
Support allowing classes Otherwise `<input class="form-control">` can't work 2019-12-07 12:37:10 -07:00			`allowedTags: sanitizeConfig.allowedTags,`
			`allowedAttributes: sanitizeConfig.allowedAttributes,`
			`allowedClasses: sanitizeConfig.allowedClasses,`
feat: html sanitization on all filter:parse.* hooks, closes #7872 2019-08-30 14:40:11 -04:00			`});`
			`};`

fix: inability for plugins to actually alter parser sanitization config /cc @pitaj 2019-09-04 11:42:49 -04:00			`Posts.configureSanitize = async () => {`
			`// Each allowed tags should have some common global attributes...`
			`sanitizeConfig.allowedTags.forEach((tag) => {`
			`sanitizeConfig.allowedAttributes[tag] = _.union(sanitizeConfig.allowedAttributes[tag], sanitizeConfig.globalAttributes);`
			`});`

fix: added comment back 2019-09-04 11:44:04 -04:00			`// Some plugins might need to adjust or whitelist their own tags...`
fix: inability for plugins to actually alter parser sanitization config /cc @pitaj 2019-09-04 11:42:49 -04:00			`sanitizeConfig = await plugins.fireHook('filter:sanitize.config', sanitizeConfig);`
			`};`

fixes #5225 2016-11-21 11:07:20 -05:00			`function sanitizeSignature(signature) {`
Fix #5592 (#5593) * Fix #5592 Escape translation tokens in topic titles, descriptions, profile about, and post contents * Fix tests 2017-04-13 12:37:54 -06:00			`signature = translator.escape(signature);`
ESlint one-var, fix comma-dangle 2017-02-17 20:20:42 -07:00			`var tagsToStrip = [];`
fixes #5225 2016-11-21 11:07:20 -05:00
Parse int (#6853) * Store config fields as JSON in the db Fewer parseInts * Remove unnecessary parseInts * remove some dupe code add tests * remove console.log * remove more parseInts * WIP: read meta.configs defaults from defaults.json remove more parseInts * more work * add log for failing test * update admin pwd * fix tests, dont require posts/cache before configs are initialized * handle saves * Test boolean conditions * remove more parseInts * Fix boolean values * remove lots more parseInts * removed json parsing * renamed var to number * categories dont have timestamp 2018-10-21 16:47:51 -04:00			`if (meta.config['signatures:disableLinks']) {`
fixes #5225 2016-11-21 11:07:20 -05:00			`tagsToStrip.push('a');`
			`}`

Parse int (#6853) * Store config fields as JSON in the db Fewer parseInts * Remove unnecessary parseInts * remove some dupe code add tests * remove console.log * remove more parseInts * WIP: read meta.configs defaults from defaults.json remove more parseInts * more work * add log for failing test * update admin pwd * fix tests, dont require posts/cache before configs are initialized * handle saves * Test boolean conditions * remove more parseInts * Fix boolean values * remove lots more parseInts * removed json parsing * renamed var to number * categories dont have timestamp 2018-10-21 16:47:51 -04:00			`if (meta.config['signatures:disableImages']) {`
fixes #5225 2016-11-21 11:07:20 -05:00			`tagsToStrip.push('img');`
			`}`

Remove string.js dependency 2017-10-13 21:02:41 -06:00			`return utils.stripHTMLTags(signature, tagsToStrip);`
fixes #5225 2016-11-21 11:07:20 -05:00			`}`
fixed LRU cache problem 2015-11-26 23:34:55 -05:00			`};`