Commit Graph

148 Commits

Author SHA1 Message Date
Rohitt Vashishtha 3bdc8bbaa5 CVE-2018-9986: Fix XSS issues with frontend markdown processor.
This fixes a set of XSS issues with Zulip's frontend markdown
processor, which is used in a limited set of contexts, such as local
echo of messages and the drafts feature.

The implementation of several syntax elements, including the <em>
syntax, user and stream mentions, and some others failed to properly
escape the content inside the syntax.

Fix this, and add tests for each corrected code path.

Thanks to w2w for reporting this issue.
2018-04-12 09:46:37 -07:00
Shubham Dhama b650b6b38c markdown: Add @stream as an alias for @all.
Fixes: #8930.
2018-04-09 16:35:14 -07:00
Rohitt Vashishtha 115b633551 markdown-tests: Allow ignoring certain fixtures while developing.
Usually, to debug a small change, you have to remove some tests from JSON
because of lack of support for comments in JSON. This commit allows to
ignore some tests by setting `"ignore" : true` in the bugdown fixtures.

Also, since this is only for while developing, the complete test suite will
throw an error if we leave an 'ignored' test in a commit.
2018-03-28 17:35:47 -07:00
Rohitt Vashishtha c0ea4f2d5a markdown-tests: Show bugdown testcase name on failure. 2018-03-28 17:35:47 -07:00
Rohitt Vashishtha 3c96b04763 emoji: Add translate_emoticons flag in bugdown testcases.
Also switches the default behaviour of the code to not translate the
emoticons. Earlier, the code was testing-aware, and used to translate
when there was no user profile data available(assuming that as a testing
environment).
2018-03-27 17:16:55 -07:00
Rohitt Vashishtha b976447102 markdown: Test the translate_emoticons flag.
The main testing of the translate emoticons code is in the
node_tests/emoji.js file. This code just checks if the setting
to enable/disable the emoticon translation is being honored.
2018-03-27 17:16:55 -07:00
Aayush Agrawal 78a4924ecc markdown: Apply both bold and italic for words like ***text***.
Adds rule 'strong_em' to markdown parser to recognize ***{TEXT}***
Fixes #8155.
2018-03-23 15:01:24 -07:00
Harshit Bansal a49655e0d4 emoji: Migrate realm emoji to be addressed by `id` rather than `name`.
This commit migrates realm emoji to be addressed by their `id` rather
than their name. This fixes a long standing issue which was causing
an error on uploading an emoji with same name as a deactivated realm
emoji.

Fixes: #6977.
2018-03-20 22:24:44 -07:00
Marco Burstein bdb86f1b5e emoji: Add support for translating emoticons.
Add `translate_emoticons` to `prop_types` and `expected_keys`.
Furthermore, create a emoji-translating Markdown inline pattern.

Also use a JavaScript version of `translate_emoticons` and then use
this function during Markdown previews and as a preprocessor. This
is only needed for previews, because usually emoticon translation
happens on the backend after sending.

Add tests for emoticon translation, a settings UI, and a /help/ page
as well.

Tweaked by tabbott to fix various test failurse as well as how this
handles whitespace, requiring emoticons to not have adjacent
characters.

Fixes #1768.
2018-03-04 15:37:24 -08:00
Steve Howell 46a49777c4 Add stream ids to urls for stream-related narrows.
This commit prefixes stream names in urls with stream ids,
so that the urls don't break when we rename streams.

strean name: foo bar.com%
before: #narrow/stream/foo.20bar.2Ecom.25
after: #narrow/stream/20-foo-bar.2Ecom.25

For new realms, everything is simple under the new scheme, since
we just parse out the stream id every time to figure out where
to narrow.

For old realms, any old URLs will still work under the new scheme,
assuming the stream hasn't been renamed (and of course old urls
wouldn't have survived stream renaming in the first place).  The one
exception is the hopefully rare case of a stream name starting with
something like "99-" and colliding with another stream whose id is 99.

The way that we enocde the stream name portion of the URL is kind
of unimportant now, since we really only look at the stream id, but
we still want a safe encoding of the name that is mostly human
readable, so we now convert spaces to dashes in the stream name.  Also,
we try to ensure more code on both sides (frontend and backend) calls
common functions to do the encoding.

Fixes #4713
2018-02-19 09:03:11 -08:00
Shubham Dhama a32e1eb913 markdown: Require double-asterisk around all mentions.
This enforces `**` around all the mentions including "at-all" and
"at-everyone" mentions. Hence this makes `@all` and `@everyone`
invalid mentions, resulting into proper syntax for these mentions as
`@**all**` and `@**everyone**` respectively.

Note from tabbott: This removes an old feature/syntax, which made
sense back when @Tim was also a way to mention a user with Tim as
their first name.  Given how nice typeahead is now, the user part of
the feature was removed a while ago; this should have gone at the same
time.

Fixes: #8143.
2018-02-16 11:45:08 -08:00
Weronika Grzybowska 7ac7100a1d messages: Make checking for status message consistent with backend.
Adds a check for newline that was present on backend, but missing in the
frontend markdown implementation. Updating messages uses is_me_message flag
received from server instead of its own partial test. Similarly, rendering
previews uses markdown code.

Fixes #6493.
2018-01-23 09:26:41 -05:00
Steve Howell 0a3d769911 local echo: Bypass message.flags array.
We no longer set message.flags in the local echo path.

In the markdown parsing step, we just set message.mentioned
directly.

And then we change `insert_new_messages` to no longer
convert flags to booleans, and move that code to only
happen for incoming server message events.
2017-12-26 09:01:21 -05:00
Andy Perez 695affd44e node tests: Compare markdown using semantic equivalence.
Fix #4367
2017-12-18 19:03:38 -05:00
Umair Khan 4a0c372de4 get_user_group_from_name: Remove existence check.
Using user_group_name_dict.get() will return `undefined`.
`blueslip.error` statement caused an exception notification to the
admins.

Tweaked by tabbott to add a test for a nonexistent group.
2017-11-29 09:36:04 -08:00
Umair Khan 8f190e0746 user-groups: Update marked.js to do proper local echo for mentions.
We implement markdown in the JS as well to improve the
usability.  Comes complete withunit tests.

Fixes #7381.
2017-11-27 09:16:09 -08:00
Umair Khan 90994bccac user-groups: Recognize single asterisk for group mentions.
The character combination of @* now begins a group mention, so
this test is no longer valid.
2017-11-27 09:16:09 -08:00
Umair Khan c78846a274 markdown.js: Add error function to blueslip.
If we do not add this, we get an exception before we reach the
assertion.
2017-11-27 09:08:30 -08:00
Steve Howell ba79558257 node tests: Use zrequire in markdown.js. 2017-11-08 12:24:17 -08:00
Tim Abbott 417f92c8e1 markdown: Remove now-obsolete bugdown_matches_marked.
Fixes #7099.
2017-11-07 12:01:57 -08:00
Tim Abbott cf3d035edf eslint: Set array-bracket-spacing rule and clean project. 2017-10-06 12:43:12 -07:00
Harshit Bansal d4dfc53a0f emoji.js: Remove some unused data structures.
This commit removes some unused data structures: `emojis_by_unicode` and
`default_unicode_emojis` to be particular.
2017-09-29 11:17:06 -07:00
Harshit Bansal 5b5bcce098 emoji: Migrate bugdown emoji to use sprite sheets.
This commit switches to use sprite sheets for rendering emojis
in all the remaining places, i.e., message bodies and composebox
typeahead. This commit also includes some changes to notifications.py
file so that the spans used for rendering emojis can be converted
to corresponding image tags so that we don't break the emoji rendering
in missed message emails since we can't use sprite sheets there.

As part of switching the bugdown system to use sprite sheets, we need
to switch the name_to_codepoint mappings to match the new sprite
sheets.  This has the side effect of fixing a bunch of emoji like
numbers and flag emoji in the emoji pickers.

Fixes: #3895.
Fixes: #3972.
2017-09-29 11:14:34 -07:00
Tim Abbott e80f93dc42 markdown: Set is_me_message in apply_markdown.
This should make the variable available to things like drafts and
previews.
2017-08-27 09:34:24 -07:00
Tim Abbott 133f005530 markdown: Remove is_me_message UserMessage flags.
This never made sense to be a flag on the UserMessage table, since
it's not per-user state.  And in fact it doesn't need to be in a
database at all, since it's easily computed from content anyway.

Fixes #1099.
2017-08-27 09:34:24 -07:00
Aditya Bansal 245d571ae9 emoji.js: Refactor to make better use of initialize(). 2017-08-16 19:18:26 -04:00
Harshit Bansal a26b1188c6 minor: Indentation fix. 2017-07-31 12:42:36 -07:00
Harshit Bansal 3796292913 markdown: Fix the rendering of realm filters.
A realm filter should match only after the start of a line, whitespace
or opening delimiters. But markdown was not configured to respect those
rules which was causing some weird rendering behavior. This commit fixes
the regex used for matching realm filters. On the backend we are using
regex with negative lookbehind to perform matches but since javascript
regex don't support lookbehind we are using a workaround on the frontend
using `contains_backend_only_syntax()` function which detects if a realm
filter can be rendered correctly by backend only and if so it stops the
message from getting echoed locally.

Fixes: #5154.
2017-07-31 12:42:36 -07:00
Tim Abbott 76c92ad676 markdown: Enforce backend-only-syntax checks in node tests.
While we do have some known cases where syntax diverges intentionally,
this change should make it a lot easier to maintain
markdown.contains_backend_only_syntax over time.
2017-07-28 18:17:25 -07:00
Tim Abbott 1360e1c5fd markdown: Add support for specifying marked output when not matching.
This lets us document cases where the syntax is intentionally
different in ways that we don't think are problematic.
2017-07-28 18:13:15 -07:00
Tim Abbott 4b7c23f133 markdown: Rename bugdown-data.json to a more reasonable name. 2017-07-28 17:54:01 -07:00
Tim Abbott 4f4d28477d markdown: Rename markdown.contains_bugdown.
This name was confusing, since "bugdown" doesn't exactly suggest
"backend markdown processor" to people.
2017-07-28 17:51:33 -07:00
Joshua Pan e6611fec99 markdown.js: Remove paragraph break from numbered lists.
Fixes #5902.
2017-07-28 12:32:20 -07:00
digi0ps 2d92f9dc0b emoji: Change emoji image titles to use spaces instead of underscores.
Previously, the emoji images title display `🍼`.
This commit changes the title to display `baby bottle`.
2017-07-26 09:27:17 -07:00
Joshua Pan 09043c25ca markdown.js: Move markdown.js test to bugdown-data.json. 2017-07-18 12:56:47 -07:00
Joshua Pan 5e5ca48063 markdown.js: Fix inconsistent #**stream** on new line.
This commit removes all code related to headers because
(1) we don't need the code and (2) it splits #**stream**
as a paragraph, which we don't want. This commit also
fixes the inconsistency when #**stream** is on a new line.

Fixes #4678.
2017-07-18 11:07:25 -07:00
Joshua Pan ec669a0c45 markdown.js: Fix inconsistent user mention on new line.
The user mention regex was checking for multiple lines,
so it broke when the user mention was on a new line.
This changes the regex AND adds a couple tests to
test inline markdown regexes.
2017-07-18 00:07:49 -07:00
Harshit Bansal 4cb8ac100a emoji: Fix the title and alt text for unicode emojis.
Unicode emojis when rendered should display canonical short name.
Similarly, the alt text should be of the format `:<short_name>:`.
For both of these we currently display the actual unicode symbol.
As some systems don't have the fonts necessary for displaying them
properly, they are rendered as empty square blocks. This commit also
ensures that the markup generated for emoji generated by canonical
name and by an unicode emoji is same.

Fixes: #5555.
2017-07-01 11:14:24 -07:00
Cory Lynch 7f8ecb62c9 fenced_code.js: Improve coverage to 100%. 2017-06-19 06:53:25 -04:00
Yago González 1d47a7b505 node tests: Replace stub jQuery with zjquery. 2017-06-15 09:08:40 -04:00
Yago González 98e74db6e8 node tests: Remove unnecessary dependency (hashchange). 2017-06-15 09:08:40 -04:00
Yago González 31d81e2c9b node tests: Add coverage for unexpected exceptions in handleTex. 2017-06-15 09:08:40 -04:00
Yago González 6c0dfa7f8f node tests: Fix format in markdown.js tests.
Replaced 2-space indentation with 4 spaces, and removed a couple
unnecessary newlines.
2017-06-15 09:08:40 -04:00
Yago González 44078a73bf node tests: Add coverage for python_to_js_filter. 2017-06-15 09:08:40 -04:00
Yago González 97a07f311e node tests: Add coverage for add_subject_links. 2017-06-15 09:08:40 -04:00
Yago González ae67f9044d node tests: Add coverage for handleUnicodeEmoji. 2017-06-15 09:08:40 -04:00
Steve Howell c02f4b4756 Add people.initialize().
This makes us not have to stub jquery in many of our node
tests!
2017-05-23 19:35:08 -07:00
Steve Howell 0a0f567aeb Split out markdown.js from echo.js.
The new module handles markdown rendering.

The code left behind in echo.js does local-echo kind of things
like reifying message ids.
2017-05-09 11:06:10 -07:00