Merge pull request lichess-org#4658 from niklasf/whitelist-imgur

only embed images from imgur

Author: ornicar

modules/common/src/main/base/RawHtml.scala

@@ -159,12 +159,10 @@ final object RawHtml {
     last + 1
   }
 
-  private[this] val imgurRegex = """https?://imgur\.com/(\w+)""".r
-  private[this] val imgUrlPat = """\.(?:jpg|jpeg|png|gif)$""".r.pattern
+  private[this] val imgurRegex = """https?://(?:i\.)?imgur\.com/(\w+)(?:\.jpe?g|\.png|\.gif)?""".r
 
   private[this] def imgUrl(url: String): Option[String] = (url match {
     case imgurRegex(id) => Some(s"""https://i.imgur.com/$id.jpg""")
-    case _ if imgUrlPat.matcher(url).find => Some(url)
     case _ => None
   }) map { img => s"""<img class="embed" src="$img" alt="$url"/>""" }
 

modules/common/src/test/RawHtmlTest.scala

@@ -35,11 +35,10 @@ class RawHtmlTest extends Specification {
       val url = "http://foo@bar"
       addLinks(s"""link to $url here""") must not contain ("""href="http://foo"""")
     }
-    "detect image" in {
+    "ignore image from untrusted host" in {
       val url = "http://zombo.com/pic.jpg"
-      addLinks(s"""img to $url here""") must_== {
-        s"""img to <img class="embed" src="$url" alt="$url"/> here"""
-      }
+      addLinks(s"""link to $url here""") must_==
+        s"""link to <a rel="nofollow" href="$url" target="_blank">$url</a> here"""
     }
     "detect imgur image URL" in {
       val url = "https://imgur.com/NXy19Im"