Commit Graph

29 Commits

Author SHA1 Message Date
Rohitt Vashishtha 3bdc8bbaa5 CVE-2018-9986: Fix XSS issues with frontend markdown processor.
This fixes a set of XSS issues with Zulip's frontend markdown
processor, which is used in a limited set of contexts, such as local
echo of messages and the drafts feature.

The implementation of several syntax elements, including the <em>
syntax, user and stream mentions, and some others failed to properly
escape the content inside the syntax.

Fix this, and add tests for each corrected code path.

Thanks to w2w for reporting this issue.
2018-04-12 09:46:37 -07:00
Shubham Dhama a32e1eb913 markdown: Require double-asterisk around all mentions.
This enforces `**` around all the mentions including "at-all" and
"at-everyone" mentions. Hence this makes `@all` and `@everyone`
invalid mentions, resulting into proper syntax for these mentions as
`@**all**` and `@**everyone**` respectively.

Note from tabbott: This removes an old feature/syntax, which made
sense back when @Tim was also a way to mention a user with Tim as
their first name.  Given how nice typeahead is now, the user part of
the feature was removed a while ago; this should have gone at the same
time.

Fixes: #8143.
2018-02-16 11:45:08 -08:00
Andy Perez f0190333b8 bugdown: Remove whitespace strip from inline code.
Fixes #4507
2017-12-14 07:48:10 -05:00
Umair Khan 8f190e0746 user-groups: Update marked.js to do proper local echo for mentions.
We implement markdown in the JS as well to improve the
usability.  Comes complete withunit tests.

Fixes #7381.
2017-11-27 09:16:09 -08:00
Andy Perez 83f563aeff bugdown: Properly parse empty blockquotes.
The character ">" now only starts a blockquote if the resulting
blockquote would be non-empty.  Thus, by itself, ">" is now
interpreted literally by bugdown, fixing #687.  The message
with contents consisting of ">>>" is now parsed as a doubly
(not triply) nested blockquote with contents ">".  Properly
formed blockquotes have identical behavior as before, but now
bugdown can no longer produce empty blockquotes as output.

Fixes #2886, #687.
2017-11-17 11:41:44 -08:00
Andy Perez 4d51a6cfac bugdown: Fix $$ whitespace handling.
The intended use of $$ is for inline expressions, not for multiline
ones; ```math is an acceptable alternative for the latter.  Hence,
the $$-syntax for inline TeX no longer permits newlines within it.

This was also necessary for the next change to be sensible; namely
allowing for spaces around both $$ when crafting inline TeX instead of
forcing everything to be crammed together, e.g. $$x=7$$.  In order to
avoid uninentionally creating inline expressions, the opening and
closing $$'s of an inline expression must now both exactly consist of
two dollar signs, no more and no less.

Fixes: #6488.
2017-11-10 16:54:27 -08:00
Joshua Pan e6611fec99 markdown.js: Remove paragraph break from numbered lists.
Fixes #5902.
2017-07-28 12:32:20 -07:00
Joshua Pan 5e5ca48063 markdown.js: Fix inconsistent #**stream** on new line.
This commit removes all code related to headers because
(1) we don't need the code and (2) it splits #**stream**
as a paragraph, which we don't want. This commit also
fixes the inconsistency when #**stream** is on a new line.

Fixes #4678.
2017-07-18 11:07:25 -07:00
Joshua Pan ec669a0c45 markdown.js: Fix inconsistent user mention on new line.
The user mention regex was checking for multiple lines,
so it broke when the user mention was on a new line.
This changes the regex AND adds a couple tests to
test inline markdown regexes.
2017-07-18 00:07:49 -07:00
Harshit Bansal c549dea9ac bugdown: Fix the regex used for unicode emoji matching.
The regex we were using didn't cover all the unicode blocks
to which our emojis belong. This commit fixes the regex to
include all the unicode blocks and also updates the
corresponding JS regex in marked.js.

Fixes: #3460.
2017-05-16 09:05:42 -07:00
Benjamin Gilbert 4775f55ca7 Fix spelling of "occurred" in various places. 2017-04-17 20:29:07 -07:00
Yago González 34a9e1ae11 markdown: Add TeX typesetting support.
Co-authored-by: Reid Barton <rwbarton@gmail.com>

Fixes #2056.
2017-03-21 16:40:00 -07:00
Yago González ca190bd394 bug fix: Handle empty at-mentions gracefully.
An exception in the webapp was trown when an empty mention was sent.
Examples of problematic messages are "@" or "@****".

In order to fix this, the regex that identifies mentions has been
modified, so it now requires the mention to have a "content" (by
replacing the ? quantifier by +).

A test case has been added to `frontend_tests/node_tests/echo.js` to
check that this works properly in the future.
2016-12-21 15:32:12 -08:00
hackerkid 951f1d9cdb Add missing unicode range to text: replace(inline.breaks.text)
This is a followup of #2297.
2016-11-14 20:10:54 -08:00
hackerkid b2e91eae13 Add marked.js support to emojis in miscellaneous and dingbats block.
https://en.wikipedia.org/wiki/Emoji#Unicode_blocks
2016-11-14 15:58:16 -08:00
paxapy ade3bda025 markdown: Fix stream link handler in corner cases.
* Fixes handling of multiple stream links and invalid stream names.
* Fixes text regex so it handle hash sign the right way.
* Adds tests for these stream link cases.
2016-11-10 19:22:19 -08:00
Igor Tokarev 852bc6b491 bugdown: Re-enable support for italics in bugdown.
Fixes: #1103.
2016-11-10 19:14:40 -08:00
Mohsen Ibrahim 44c8e4c58c streamLinkHandler: render stream links correctly.
After adding the ability to add stream links to messages using
the following pattern '#**stream_name**' there was a problem
with rendering this using our markdown engine because '**' means
bold text so that would render just to bold text.
To solve this I had to add regular expression in marked.js to match
that pattern and when it matches I call handleStreamLinks in echo.js
which will correctly render it to HTML.

Fixes #2218.

[tweaked by tabbott to url-encode the stream name in the URL and
adding the missing "#" in the display].
2016-11-08 13:52:31 -08:00
Igor Tokarev 07d05390bf markdown: Fix client usermention regular expression.
Fixes #993.
2016-11-06 18:37:09 -08:00
hackerkid 70223ef2da [third] Update marked base to newer version 0.3.6.
This basically re-applies the Zulip changes to marked 0.3.6.

Fixes #2190.
2016-11-04 21:56:53 -07:00
hackerkid bca1953aa4 Add support for !gravatar syntax in echo.js. 2016-10-20 14:40:45 -07:00
hackerkid 95b5ac1d5d Add support for !avatar syntax in echo.js. 2016-10-20 14:40:33 -07:00
Alex Wilson b040839c76 Add unicode emoji to frontend markdown parser.
Fixes 2nd half of #1011.
2016-06-30 15:48:02 -07:00
Leo Franchi 420a7cab7a [marked] Add preprocessors in marked and allow them to insert arbitrary HTML
(imported from commit 367418266f4fbe2d723212845f49f0d4356fab52)
2014-01-28 15:35:32 -05:00
Leo Franchi b119bf74ca [third] Update marked.js to HEAD to pull in javascript escape fixes
(imported from commit f673746c7f2d424c56b3e0b5d028952f97fb2a57)
2014-01-27 12:07:48 -05:00
Leo Franchi 439633fd03 More markdown compatibility fixes
* Escape " as &quot;
* Enable GFM newlines
* Output a linebreak after <br> in the generated markup

(imported from commit c007ec422054f9fc66a810b66aac70f70a2a1952)
2014-01-23 16:28:58 -05:00
Leo Franchi b1a6fdf5e2 Add support for realm filters to marked.js
(imported from commit cea1720b6535a23469185f0ad2677edd373e7cfb)
2014-01-23 16:28:57 -05:00
Leo Franchi 0de824f73e Add a zulip module to marked, which supports emoji and user mentions
This is partially inspired by https://github.com/chjj/marked/pull/238

(imported from commit 03b84cde88fc8c2fe31c1003a5ce852cc364733e)
2014-01-23 16:28:56 -05:00
Leo Franchi 835e385b75 [third] Add marked.js, a javascript markdown parser
(imported from commit e85d9b50328ce7d31882464fcc283478f7a9f753)
2014-01-23 16:28:54 -05:00