From 0b39137cd78b8aafe1f8bfe0132a56942b9c3efe Mon Sep 17 00:00:00 2001 From: Ryan Lue Date: Mon, 16 Jul 2018 15:23:57 +0800 Subject: [PATCH] Add sanitize duplicated domains in rich text form input (fixes #2019) --- .../javascripts/app/lib/app_post/utils.coffee | 13 +++++++++++++ ..._fix_double_domain_links_in_trigger_emails.rb | 16 ++++++++++++++++ public/assets/tests/html_utils.js | 8 +++++++- 3 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 db/migrate/20180716060129_issue_2019_fix_double_domain_links_in_trigger_emails.rb diff --git a/app/assets/javascripts/app/lib/app_post/utils.coffee b/app/assets/javascripts/app/lib/app_post/utils.coffee index 7307bcf3d..9e87febb0 100644 --- a/app/assets/javascripts/app/lib/app_post/utils.coffee +++ b/app/assets/javascripts/app/lib/app_post/utils.coffee @@ -262,6 +262,10 @@ class App.Utils # remove word markup @_removeWordMarkup(html) + # strip out browser-inserted (broken) link + # (see https://github.com/zammad/zammad/issues/2019) + @_stripDoubleDomainAnchors(html) + # remove tags, keep content html.find('font, small, time, form, label').replaceWith( -> $(@).contents() @@ -395,6 +399,15 @@ class App.Utils return window.word_filter(html) html + @_stripDoubleDomainAnchors: (html) -> + html.find('a').each( -> + origHref = $(@).attr('href') + return if !origHref? + + fixedHref = origHref.replace(/^https?:\/\/.*(?=(https?|#{config.http_type}):\/\/)/, '') + if origHref != fixedHref then $(@).attr('href', fixedHref) + ) + # signatureNeeded = App.Utils.signatureCheck(message, signature) @signatureCheck: (message, signature) -> messageText = $('
' + message + '
').text().trim() diff --git a/db/migrate/20180716060129_issue_2019_fix_double_domain_links_in_trigger_emails.rb b/db/migrate/20180716060129_issue_2019_fix_double_domain_links_in_trigger_emails.rb new file mode 100644 index 000000000..c3386c545 --- /dev/null +++ b/db/migrate/20180716060129_issue_2019_fix_double_domain_links_in_trigger_emails.rb @@ -0,0 +1,16 @@ +class Issue2019FixDoubleDomainLinksInTriggerEmails < ActiveRecord::Migration[5.1] + DOUBLE_DOMAIN_REGEX = %r{(?<=)} + + def up + Trigger.where('perform LIKE ?', '%notification.email: %') + .find_each do |t| + email_response = t.perform['notification.email'] + next if email_response.blank? || !email_response['body']&.match(DOUBLE_DOMAIN_REGEX) + + email_response['body'] = email_response['body'].gsub(DOUBLE_DOMAIN_REGEX, '') + next if !t.perform_changed? + + t.save + end + end +end diff --git a/public/assets/tests/html_utils.js b/public/assets/tests/html_utils.js index 492fed2a9..b33ec5c8d 100644 --- a/public/assets/tests/html_utils.js +++ b/public/assets/tests/html_utils.js @@ -651,6 +651,12 @@ test("htmlCleanup", function() { result = App.Utils.htmlCleanup(source) equal(result.get(0).outerHTML, should, source) + // strip out browser-inserted (broken) link (see https://github.com/zammad/zammad/issues/2019) + source = "
test
" + should = "test" + result = App.Utils.htmlCleanup(source) + equal(result.html(), should, source) + source = "
aaa
value
" should = "
aaa
value
" result = App.Utils.htmlCleanup(source) @@ -2727,4 +2733,4 @@ var htmlImage2DataUrlTest = function() { } $('#image2text img').one('load', htmlImage2DataUrlTest) -} \ No newline at end of file +}