Use markdown-it and sanitize-html for comment mail notifier

Chocobozzz · Nov 6, 2020 · 5203c30 · 5203c30
1 parent f5c9c8c
commit 5203c30
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 7 deletions.
diff --git a/server/lib/emailer.ts b/server/lib/emailer.ts
@@ -15,7 +15,50 @@ import { MAbuseFull, MAbuseMessage, MAccountDefault, MActorFollowActors, MActorF
 import { MCommentOwnerVideo, MVideo, MVideoAccountLight } from '../types/models/video'
 import { JobQueue } from './job-queue'
 
-const marked = require('marked')
+const sanitizeHtml = require('sanitize-html')
+const markdownItEmoji = require('markdown-it-emoji/light')
+const MarkdownItClass = require('markdown-it')
+const markdownIt = new MarkdownItClass('default', { linkify: true, breaks: true, html: true })
+
+markdownIt.enable([
+  'emphasis',
+  'link',
+  'list'
+])
+
+markdownIt.use(markdownItEmoji)
+
+const toSafeHtml = text => {
+  // Restore line feed
+  const textWithLineFeed = text.replace(/<br.?\/?>/g, '\r\n')
+
+  // Convert possible markdown (emojis, emphasis and lists) to html
+  const html = markdownIt.render(textWithLineFeed)
+
+  // Convert to safe Html
+  return sanitizeHtml(html, {
+    allowedTags: [ 'a', 'p', 'span', 'br', 'strong', 'em', 'ul', 'ol', 'li' ],
+    allowedSchemes: [ 'http', 'https' ],
+    allowedAttributes: {
+      a: [ 'href', 'class', 'target', 'rel' ]
+    },
+    transformTags: {
+      a: (tagName, attribs) => {
+        let rel = 'noopener noreferrer'
+        if (attribs.rel === 'me') rel += ' me'
+
+        return {
+          tagName,
+          attribs: Object.assign(attribs, {
+            target: '_blank',
+            rel
+          })
+        }
+      }
+    }
+  })
+}
+
 const Email = require('email-templates')
 
 class Emailer {
@@ -237,7 +280,7 @@ class Emailer {
     const video = comment.Video
     const videoUrl = WEBSERVER.URL + comment.Video.getWatchStaticPath()
     const commentUrl = WEBSERVER.URL + comment.getCommentStaticPath()
-    const commentText = marked(comment.text)
+    const commentHtml = toSafeHtml(comment.text)
 
     const emailPayload: EmailPayload = {
       template: 'video-comment-new',
@@ -247,7 +290,7 @@ class Emailer {
         accountName: comment.Account.getDisplayName(),
         accountUrl: comment.Account.Actor.url,
         comment,
-        commentText,
+        commentHtml,
         video,
         videoUrl,
         action: {
@@ -265,15 +308,15 @@ class Emailer {
     const video = comment.Video
     const videoUrl = WEBSERVER.URL + comment.Video.getWatchStaticPath()
     const commentUrl = WEBSERVER.URL + comment.getCommentStaticPath()
-    const commentText = marked(comment.text)
+    const commentHtml = toSafeHtml(comment.text)
 
     const emailPayload: EmailPayload = {
       template: 'video-comment-mention',
       to,
       subject: 'Mention on video ' + video.name,
       locals: {
         comment,
-        commentText,
+        commentHtml,
         video,
         videoUrl,
         accountName,

diff --git a/server/lib/emails/video-comment-mention/html.pug b/server/lib/emails/video-comment-mention/html.pug
@@ -7,5 +7,5 @@ block content
   p.
     #[a(href=accountUrl title=handle) #{accountName}] mentioned you in a comment on video
     "#[a(href=videoUrl) #{video.name}]":
-  blockquote !{commentText}
+  blockquote !{commentHtml}
   br(style="display: none;")
diff --git a/server/lib/emails/video-comment-new/html.pug b/server/lib/emails/video-comment-new/html.pug
@@ -7,5 +7,5 @@ block content
   p.
     #[a(href=accountUrl title=handle) #{accountName}] added a comment on your video
     "#[a(href=videoUrl) #{video.name}]":
-  blockquote !{commentText}
+  blockquote !{commentHtml}
   br(style="display: none;")