html escapse targets

matrix-org · Nov 22, 2024 · 8cd1726 · 8cd1726
1 parent 82d3341
commit 8cd1726
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 10 deletions.
diff --git a/src/ProtectedRoomsSet.ts b/src/ProtectedRoomsSet.ts
@@ -366,7 +366,7 @@ export class ProtectedRoomsSet {
                     msgtype: "m.text",
                     body: `Applying ACL in ${roomId}.`,
                     format: "org.matrix.custom.html",
-                    formatted_body: `Applying ACL in <span data-mx-spoiler>${roomId}</span>.`,
+                    formatted_body: `Applying ACL in <span data-mx-spoiler>${htmlEscape(roomId)}</span>.`,
                 });
 
                 if (!this.config.noop) {
@@ -443,7 +443,7 @@ export class ProtectedRoomsSet {
                             msgtype: "m.text",
                             body: `Banning ${member.userId} in ${roomId} for: ${reason}.`,
                             format: "org.matrix.custom.html",
-                            formatted_body: `Banning <span data-mx-spoiler>${member.userId}</span> in ${roomId} for: ${reason}.`,
+                            formatted_body: `Banning <span data-mx-spoiler>${htmlEscape(member.userId)}</span> in ${roomId} for: ${reason}.`,
                         });
 
                         if (!this.config.noop) {

diff --git a/src/commands/KickCommand.ts b/src/commands/KickCommand.ts
@@ -16,6 +16,7 @@ limitations under the License.
 
 import { Mjolnir } from "../Mjolnir";
 import { LogLevel, MatrixGlob, RichReply } from "@vector-im/matrix-bot-sdk";
+import {htmlEscape} from "../utils";
 
 // !mjolnir kick <user|filter> [room] [reason]
 export async function execKickCommand(roomId: string, event: any, mjolnir: Mjolnir, parts: string[]) {
@@ -61,7 +62,7 @@ export async function execKickCommand(roomId: string, event: any, mjolnir: Mjoln
                     msgtype: "m.text",
                     body: `Removing ${target} in ${protectedRoomId}.`,
                     format: "org.matrix.custom.html",
-                    formatted_body: `Removing <span data-mx-spoiler>${target}</span> in ${protectedRoomId}.`,
+                    formatted_body: `Removing <span data-mx-spoiler>${htmlEscape(target)}</span> in ${protectedRoomId}.`,
                 });
 
                 if (!mjolnir.config.noop) {
@@ -74,7 +75,7 @@ export async function execKickCommand(roomId: string, event: any, mjolnir: Mjoln
                             msgtype: "m.text",
                             body: `An error happened while trying to kick ${target}: ${e}`,
                             format: "org.matrix.custom.html",
-                            formatted_body: `An error happened while trying to kick <span data-mx-spoiler>${target}</span>: ${e}.`,
+                            formatted_body: `An error happened while trying to kick <span data-mx-spoiler>${htmlEscape(target)}</span>: ${e}.`,
                         });
                     }
                 } else {

diff --git a/src/commands/SuspendCommand.ts b/src/commands/SuspendCommand.ts
@@ -16,6 +16,7 @@ limitations under the License.
 
 import { Mjolnir } from "../Mjolnir";
 import { RichReply } from "@vector-im/matrix-bot-sdk";
+import {htmlEscape} from "../utils";
 
 export async function execSuspendCommand(roomId: string, event: any, mjolnir: Mjolnir, parts: string[]) {
     const target = parts[2];
@@ -31,7 +32,7 @@ export async function execSuspendCommand(roomId: string, event: any, mjolnir: Mj
 
     await mjolnir.suspendSynapseUser(target);
     const msg = `User ${target} has been suspended.`;
-    const htmlMsg = `User <span data-mx-spoiler>${target}</span> has been suspended.`;
+    const htmlMsg = `User <span data-mx-spoiler>${htmlEscape(target)}</span> has been suspended.`;
     const confirmation = RichReply.createFor(roomId, event, msg, htmlMsg);
     confirmation["msgtype"] = "m.notice";
     await mjolnir.client.sendMessage(roomId, confirmation);

diff --git a/src/protections/BasicFlooding.ts b/src/protections/BasicFlooding.ts
@@ -18,6 +18,7 @@ import { Protection } from "./IProtection";
 import { NumberProtectionSetting } from "./ProtectionSettings";
 import { Mjolnir } from "../Mjolnir";
 import { LogLevel, LogService } from "@vector-im/matrix-bot-sdk";
+import {htmlEscape} from "../utils";
 
 // if this is exceeded, we'll ban the user for spam and redact their messages
 export const DEFAULT_MAX_PER_MINUTE = 10;
@@ -72,7 +73,7 @@ export class BasicFlooding extends Protection {
                 msgtype: "m.text",
                 body: `Banning ${event["sender"]} in ${roomId} for flooding (${messageCount} messages in the last minute)`,
                 format: "org.matrix.custom.html",
-                formatted_body: `Banning <span data-mx-spoiler>${event["sender"]}</span> in ${roomId} for flooding (${messageCount} messages in the last minute).`,
+                formatted_body: `Banning <span data-mx-spoiler>${htmlEscape(event["sender"])}</span> in ${roomId} for flooding (${messageCount} messages in the last minute).`,
             });
             if (!mjolnir.config.noop) {
                 if (mjolnir.moderators.checkMembership(event["sender"])) {

diff --git a/src/protections/FirstMessageIsImage.ts b/src/protections/FirstMessageIsImage.ts
@@ -17,7 +17,7 @@ limitations under the License.
 import { Protection } from "./IProtection";
 import { Mjolnir } from "../Mjolnir";
 import { LogLevel, LogService } from "@vector-im/matrix-bot-sdk";
-import { isTrueJoinEvent } from "../utils";
+import {htmlEscape, isTrueJoinEvent} from "../utils";
 
 export class FirstMessageIsImage extends Protection {
     private justJoined: { [roomId: string]: string[] } = {};
@@ -62,7 +62,7 @@ export class FirstMessageIsImage extends Protection {
                     msgtype: "m.text",
                     body: `Banning ${event["sender"]} for posting an image as the first thing after joining in ${roomId}.`,
                     format: "org.matrix.custom.html",
-                    formatted_body: `Banning <span data-mx-spoiler>${event["sender"]}</span> for posting an image as the first thing after joining in ${roomId}.`,
+                    formatted_body: `Banning <span data-mx-spoiler>${htmlEscape(event["sender"])}</span> for posting an image as the first thing after joining in ${roomId}.`,
                 });
                 if (!mjolnir.config.noop) {
                     if (mjolnir.moderators.checkMembership(event["sender"])) {

diff --git a/src/utils.ts b/src/utils.ts
@@ -134,7 +134,7 @@ async function botRedactUserMessagesIn(
                 msgtype: "m.text",
                 body: `Caught an error while trying to redact messages for ${userIdOrGlob} in ${targetRoomId}: ${error}`,
                 format: "org.matrix.custom.html",
-                formatted_body: `Caught an error while trying to redact messages for <span data-mx-spoiler>${userIdOrGlob}</span> in ${targetRoomId}: ${error}`,
+                formatted_body: `Caught an error while trying to redact messages for <span data-mx-spoiler>${htmlEscape(userIdOrGlob)}</span> in ${targetRoomId}: ${error}`,
             });
         }
     }
@@ -219,7 +219,7 @@ export async function redactUserMessagesIn(
                 msgtype: "m.text",
                 body: `Error using admin API to redact messages for user ${userIdOrGlob}, please check logs for more info - falling back to non-admin redaction process.`,
                 format: "org.matrix.custom.html",
-                formatted_body: `Error using admin API to redact messages for user <span data-mx-spoiler>${userIdOrGlob}</span>, please check logs for more info - falling
+                formatted_body: `Error using admin API to redact messages for user <span data-mx-spoiler>${htmlEscape(userIdOrGlob)}</span>, please check logs for more info - falling
                 back to non-admin redaction process.`,
             });
             await botRedactUserMessagesIn(client, managementRoom, userIdOrGlob, filteredRooms, limit, noop);