Strip reply fallback before passing to html renderer

This commit is contained in:
Sorunome 2020-07-05 18:41:27 +02:00
parent 4dcbc4ec1c
commit 35f2202e90
No known key found for this signature in database
GPG Key ID: B19471D07FC9BE9C

View File

@ -21,11 +21,19 @@ class HtmlMessage extends StatelessWidget {
@override @override
Widget build(BuildContext context) { Widget build(BuildContext context) {
// riot-web is notorious for creating bad reply fallback events from invalid messages which, if
// not handled properly, can lead to impersination. As such, we strip the entire `<mx-reply>` tags
// here already, to prevent that from happening.
// We do *not* do this in an AST and just with simple regex here, as riot-web tends to create
// miss-matching tags, and this way we actually correctly identify what we want to strip and, well,
// strip it.
final renderHtml = html.replaceAll(RegExp('<mx-reply>.*<\/mx-reply>'), '');
// there is no need to pre-validate the html, as we validate it while rendering // there is no need to pre-validate the html, as we validate it while rendering
final themeData = Theme.of(context); final themeData = Theme.of(context);
return Html( return Html(
data: html, data: renderHtml,
defaultTextStyle: defaultTextStyle, defaultTextStyle: defaultTextStyle,
linkStyle: linkStyle ?? linkStyle: linkStyle ??
themeData.textTheme.bodyText2.copyWith( themeData.textTheme.bodyText2.copyWith(