Remove link rewriting option as it is easily bypassable

signup-info-prompt
Thibaut Girka 2019-08-01 18:48:16 +02:00 committed by ThibG
parent 76b80a1511
commit ff0ceb28b3
5 changed files with 17 additions and 75 deletions

View File

@ -699,7 +699,7 @@ class Status extends ImmutablePureComponent {
onExpandedToggle={this.handleExpandedToggle} onExpandedToggle={this.handleExpandedToggle}
parseClick={parseClick} parseClick={parseClick}
disabled={!router} disabled={!router}
linkRewriting={settings.get('link_rewriting')} tagLinks={settings.get('tag_misleading_links')}
/> />
{!isCollapsed || !(muted || !settings.getIn(['collapsed', 'show_action_bar'])) ? ( {!isCollapsed || !(muted || !settings.getIn(['collapsed', 'show_action_bar'])) ? (
<StatusActionBar <StatusActionBar

View File

@ -8,31 +8,13 @@ import classnames from 'classnames';
import { autoPlayGif } from 'flavours/glitch/util/initial_state'; import { autoPlayGif } from 'flavours/glitch/util/initial_state';
import { decode as decodeIDNA } from 'flavours/glitch/util/idna'; import { decode as decodeIDNA } from 'flavours/glitch/util/idna';
// Regex matching what "looks like a link", that is, something that starts with
// an optional "http://" or "https://" scheme and then what could look like a
// domain main, that is, at least two sequences of characters not including spaces
// and separated by "." or an homoglyph. The idea is not to match valid URLs or
// domain names, but what could be confused for a valid URL or domain name,
// especially to the untrained eye.
const h_confusables = 'h\u13c2\u1d58d\u1d4f1\u1d691\u0068\uff48\u1d525\u210e\u1d489\u1d629\u0570\u1d4bd\u1d65d\u1d421\u1d5c1\u1d5f5\u04bb\u1d559';
const t_confusables = 't\u1d42d\u1d5cd\u1d531\u1d565\u1d4c9\u1d669\u1d4fd\u1d69d\u0074\u1d461\u1d601\u1d495\u1d635\u1d599';
const p_confusables = 'p\u0440\u03c1\u1d52d\u1d631\u1d665\u1d429\uff50\u1d6e0\u1d45d\u1d561\u1d595\u1d71a\u1d699\u1d78e\u2ca3\u1d754\u1d6d2\u1d491\u1d7c8\u1d746\u1d4c5\u1d70c\u1d5c9\u0070\u1d780\u03f1\u1d5fd\u2374\u1d7ba\u1d4f9';
const s_confusables = 's\u1d530\u118c1\u1d494\u1d634\u1d4c8\u1d668\uabaa\u1d42c\u1d5cc\u1d460\u1d600\ua731\u0073\uff53\u1d564\u0455\u1d598\u1d4fc\u1d69c\u10448\u01bd';
const column_confusables = ':\u0903\u0a83\u0703\u1803\u05c3\u0704\u0589\u1809\ua789\u16ec\ufe30\u02d0\u2236\u02f8\u003a\uff1a\u205a\ua4fd';
const slash_confusables = '/\u2041\u2f03\u2044\u2cc6\u27cb\u30ce\u002f\u2571\u31d3\u3033\u1735\u2215\u29f8\u1d23a\u4e3f';
const dot_confusables = '.\u002e\u0660\u06f0\u0701\u0702\u2024\ua4f8\ua60e\u10a50\u1d16d';
const linkRegex = new RegExp(`^\\s*(([${h_confusables}][${t_confusables}][${t_confusables}][${p_confusables}][${s_confusables}]?[${column_confusables}][${slash_confusables}][${slash_confusables}]))?[^:/\\n ]+([${dot_confusables}][^:/\\n ]+)+`);
const textMatchesTarget = (text, origin, host) => { const textMatchesTarget = (text, origin, host) => {
return (text === origin || text === host return (text === origin || text === host
|| text.startsWith(origin + '/') || text.startsWith(host + '/') || text.startsWith(origin + '/') || text.startsWith(host + '/')
|| 'www.' + text === host || ('www.' + text).startsWith(host + '/')); || 'www.' + text === host || ('www.' + text).startsWith(host + '/'));
} }
// If `checkUrlLike` is true, consider only URL-like link texts to be misleading const isLinkMisleading = (link) => {
const isLinkMisleading = (link, checkUrlLike = true) => {
let linkTextParts = []; let linkTextParts = [];
// Reconstruct visible text, as we do not have much control over how links // Reconstruct visible text, as we do not have much control over how links
@ -69,12 +51,7 @@ const isLinkMisleading = (link, checkUrlLike = true) => {
const host = targetURL.host.replace(targetURL.hostname, hostname); const host = targetURL.host.replace(targetURL.hostname, hostname);
const origin = targetURL.origin.replace(targetURL.host, host); const origin = targetURL.origin.replace(targetURL.host, host);
const text = linkText.normalize('NFKC'); const text = linkText.normalize('NFKC');
if (textMatchesTarget(text, origin, host) || textMatchesTarget(text.toLowerCase(), origin, host)) { return !(textMatchesTarget(text, origin, host) || textMatchesTarget(text.toLowerCase(), origin, host));
return false;
}
// If the link text looks like an URL or auto-generated link, it is misleading
return !checkUrlLike || linkRegex.test(linkText);
}; };
export default class StatusContent extends React.PureComponent { export default class StatusContent extends React.PureComponent {
@ -89,11 +66,11 @@ export default class StatusContent extends React.PureComponent {
parseClick: PropTypes.func, parseClick: PropTypes.func,
disabled: PropTypes.bool, disabled: PropTypes.bool,
onUpdate: PropTypes.func, onUpdate: PropTypes.func,
linkRewriting: PropTypes.string, tagLinks: PropTypes.bool,
}; };
static defaultProps = { static defaultProps = {
linkRewriting: 'tag', tagLinks: true,
}; };
state = { state = {
@ -102,7 +79,7 @@ export default class StatusContent extends React.PureComponent {
_updateStatusLinks () { _updateStatusLinks () {
const node = this.contentsNode; const node = this.contentsNode;
const { linkRewriting } = this.props; const { tagLinks } = this.props;
if (!node) { if (!node) {
return; return;
@ -129,35 +106,7 @@ export default class StatusContent extends React.PureComponent {
link.setAttribute('title', link.href); link.setAttribute('title', link.href);
link.classList.add('unhandled-link'); link.classList.add('unhandled-link');
if (linkRewriting === 'rewrite' && isLinkMisleading(link)) { if (tagLinks && isLinkMisleading(link)) {
// Rewrite misleading links entirely
while (link.firstChild) {
link.removeChild(link.firstChild);
}
const prefix = (link.href.match(/https?:\/\/(www\.)?/) || [''])[0];
const text = link.href.substr(prefix.length, 30);
const suffix = link.href.substr(prefix.length + 30);
const cutoff = !!suffix;
const prefixTag = document.createElement('span');
prefixTag.classList.add('invisible');
prefixTag.textContent = prefix;
link.appendChild(prefixTag);
const textTag = document.createElement('span');
if (cutoff) {
textTag.classList.add('ellipsis');
}
textTag.textContent = text;
link.appendChild(textTag);
const suffixTag = document.createElement('span');
suffixTag.classList.add('invisible');
suffixTag.textContent = suffix;
link.appendChild(suffixTag);
} else if (linkRewriting === 'tag' && isLinkMisleading(link, false)) {
// Add a tag besides the link to display its origin // Add a tag besides the link to display its origin
const tag = document.createElement('span'); const tag = document.createElement('span');
@ -287,7 +236,7 @@ export default class StatusContent extends React.PureComponent {
mediaIcon, mediaIcon,
parseClick, parseClick,
disabled, disabled,
linkRewriting, tagLinks,
} = this.props; } = this.props;
const hidden = this.props.onExpandedToggle ? !this.props.expanded : this.state.hidden; const hidden = this.props.onExpandedToggle ? !this.props.expanded : this.state.hidden;
@ -362,7 +311,7 @@ export default class StatusContent extends React.PureComponent {
<div className={`status__content__spoiler ${!hidden ? 'status__content__spoiler--visible' : ''}`}> <div className={`status__content__spoiler ${!hidden ? 'status__content__spoiler--visible' : ''}`}>
<div <div
ref={this.setContentsRef} ref={this.setContentsRef}
key={`contents-${linkRewriting}`} key={`contents-${tagLinks}`}
style={directionStyle} style={directionStyle}
tabIndex={!hidden ? 0 : null} tabIndex={!hidden ? 0 : null}
dangerouslySetInnerHTML={content} dangerouslySetInnerHTML={content}
@ -386,7 +335,7 @@ export default class StatusContent extends React.PureComponent {
> >
<div <div
ref={this.setContentsRef} ref={this.setContentsRef}
key={`contents-${linkRewriting}`} key={`contents-${tagLinks}`}
dangerouslySetInnerHTML={content} dangerouslySetInnerHTML={content}
lang={status.get('language')} lang={status.get('language')}
className='status__content__text' className='status__content__text'
@ -403,7 +352,7 @@ export default class StatusContent extends React.PureComponent {
tabIndex='0' tabIndex='0'
ref={this.setRef} ref={this.setRef}
> >
<div ref={this.setContentsRef} key={`contents-${linkRewriting}`} className='status__content__text' dangerouslySetInnerHTML={content} lang={status.get('language')} tabIndex='0' /> <div ref={this.setContentsRef} key={`contents-${tagLinks}`} className='status__content__text' dangerouslySetInnerHTML={content} lang={status.get('language')} tabIndex='0' />
{media} {media}
</div> </div>
); );

View File

@ -25,9 +25,6 @@ const messages = defineMessages({
filters_upstream: { id: 'settings.filtering_behavior.upstream', defaultMessage: 'Show "filtered" like vanilla Mastodon' }, filters_upstream: { id: 'settings.filtering_behavior.upstream', defaultMessage: 'Show "filtered" like vanilla Mastodon' },
filters_hide: { id: 'settings.filtering_behavior.hide', defaultMessage: 'Show "filtered" and add a button to display why' }, filters_hide: { id: 'settings.filtering_behavior.hide', defaultMessage: 'Show "filtered" and add a button to display why' },
filters_cw: { id: 'settings.filtering_behavior.cw', defaultMessage: 'Still display the post, and add filtered words to content warning' }, filters_cw: { id: 'settings.filtering_behavior.cw', defaultMessage: 'Still display the post, and add filtered words to content warning' },
link_rewriting_none: { id: 'settings.link_rewriting.none', defaultMessage: 'Do not rewrite links' },
link_rewriting_rewrite: { id: 'settings.link_rewriting.rewrite', defaultMessage: 'Rewrite links that may be misleading' },
link_rewriting_tag: { id: 'settings.link_rewriting.tag', defaultMessage: 'Tag links with their target host unless it is already explicit' },
}); });
@injectIntl @injectIntl
@ -71,16 +68,12 @@ export default class LocalSettingsPage extends React.PureComponent {
</LocalSettingsPageItem> </LocalSettingsPageItem>
<LocalSettingsPageItem <LocalSettingsPageItem
settings={settings} settings={settings}
item={['link_rewriting']} item={['tag_misleading_links']}
id='mastodon-settings--link_rewriting' id='mastodon-settings--tag_misleading_links'
options={[
{ value: 'none', message: intl.formatMessage(messages.link_rewriting_none) },
{ value: 'rewrite', message: intl.formatMessage(messages.link_rewriting_rewrite) },
{ value: 'tag', message: intl.formatMessage(messages.link_rewriting_tag) },
]}
onChange={onChange} onChange={onChange}
> >
<FormattedMessage id='settings.link_rewriting' defaultMessage='Link rewriting' /> <FormattedMessage id='settings.tag_misleading_links' defaultMessage='Tag misleading links' />
<span className='hint'><FormattedMessage id='settings.tag_misleading_links.hint' defaultMessage="Add a visual indication with the link target host to every link not mentioning it explicitly" /></span>
</LocalSettingsPageItem> </LocalSettingsPageItem>
<section> <section>
<h2><FormattedMessage id='settings.notifications_opts' defaultMessage='Notifications options' /></h2> <h2><FormattedMessage id='settings.notifications_opts' defaultMessage='Notifications options' /></h2>

View File

@ -241,7 +241,7 @@ export default class DetailedStatus extends ImmutablePureComponent {
onExpandedToggle={onToggleHidden} onExpandedToggle={onToggleHidden}
parseClick={this.parseClick} parseClick={this.parseClick}
onUpdate={this.handleChildUpdate} onUpdate={this.handleChildUpdate}
linkRewriting={settings.get('link_rewriting')} tagLinks={settings.get('tag_misleading_links')}
disabled disabled
/> />

View File

@ -22,7 +22,7 @@ const initialState = ImmutableMap({
hicolor_privacy_icons: false, hicolor_privacy_icons: false,
show_content_type_choice: false, show_content_type_choice: false,
filtering_behavior: 'hide', filtering_behavior: 'hide',
link_rewriting: 'tag', tag_misleading_links: true,
content_warnings : ImmutableMap({ content_warnings : ImmutableMap({
auto_unfold : false, auto_unfold : false,
filter : null, filter : null,