amorfo77/sogo
1
0
Fork 0
mirror of https://github.com/inverse-inc/sogo.git synced 2026-02-17 07:33:57 +00:00
Code Issues Projects Releases Wiki Activity

feat(core): Add message of the day. Remove all html tags except for anchor tags (mobile only)

Browse Source
This commit is contained in:
smizrahi
2024-01-29 17:16:08 +01:00
parent f43974bbb7
commit 455fe97cbe
4 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
SoObjects/SOGo/NSString+Utilities.h
View File

@@ -76,6 +76,8 @@
/* OpenSSL multiline DN */
- (NSArray *) componentsFromMultilineDN;
/* XSS protection */
- (NSString *) removeHTMLTagsExceptAnchorTags;
- (NSString *) stringWithoutHTMLInjection: (BOOL)stripHTMLCode;
#ifndef GNUSTEP_BASE_LIBRARY

22
SoObjects/SOGo/NSString+Utilities.m
View File

@@ -903,6 +903,28 @@ static int cssEscapingCount;
return result;
}
/**
* Remove all HTML tags except for <a> </a>
* @return A clean string
*/
- (NSString *)removeHTMLTagsExceptAnchorTags {
NSError *error;
NSRegularExpression *regex;
NSString *stringWithoutHTML;
error = nil;
regex = [NSRegularExpression regularExpressionWithPattern: @"<(?!a|\\/a\\b)[^>]*>" options: NSRegularExpressionCaseInsensitive error: &error];
stringWithoutHTML = [regex stringByReplacingMatchesInString: self options: 0 range: NSMakeRange(0, [self length]) withTemplate:@""];
if (error) {
[self logWithFormat: @"Error while removing tags : %@", [error localizedDescription]];
return self;
}
return stringWithoutHTML;
}
/**
* Get the safe string avoiding HTML injection
* @param stripHTMLCode Remove all HTML code from content

4
Tests/Unit/TestNSString+Utilities.m
View File

@@ -118,5 +118,9 @@
testEquals([[NSString stringWithString:@"<div><!--[if !mso]><span>Test</span><!--<![endif]--></div>"] cleanInvalidHTMLTags], @"<div><!--[if !mso]><span>Test</span><!--[endif]--></div>");
}
- (void) test_stringRemoveHTMLTagsExceptAnchorTags
{
testEquals([[NSString stringWithString:@"<div>Test<img src=\"foo\" />bar <a href=\"https://www.sogo.nu\" target=\"_blank\">link</a> <strong>foobar</strong></div>"] removeHTMLTagsExceptAnchorTags], @"Testbar <a href=\"https://www.sogo.nu\" target=\"_blank\">link</a> foobar");
}
@end

2
UI/MainUI/SOGoRootPage.m
View File

@@ -1052,7 +1052,7 @@ static const NSString *kJwtKey = @"jwt";
- (NSString *)motdEscaped
{
return [[[SOGoAdmin sharedInstance] getMotd] stringWithoutHTMLInjection: YES];
return [[[SOGoAdmin sharedInstance] getMotd] removeHTMLTagsExceptAnchorTags];
}
- (BOOL)hasMotd