We already escape the entire content and don't need to escape the link content a second time. Otherwise, when a link contains, for example, an apostrophe, it's double encoded to `&pos;` before being displayed on the page. Regression from #3222
We've been mostly relying on the 3rd party xss cleaner to make sure user submitted content is clean. This PR fixes up any leftover holes in the bbcode parser that allow xss vulnerabilities, and as a result, the 3rd party library isn't needed anymore. It cleans responsibly by first, running `htmlspecialchars()` over the content, followed by sanitizing the untrusted urls and whitelisting their protocol.
It's too easy for sysops to add `https://*imgur.com/**` instead of properly adding `https://*.imgur.com/**` or even better, `https://i.imgur.com/**`. This makes it easier to spot errors in the syntax errored since the intended whitelisted domain won't work. Add some more documentation to encourage safe practices and add example evil URLs that are permitted by the bypass for visual feedback of what is allowed.
Pages support markdown as well as bbcode, and handle linebreaks themselves. We shouldn't convert linebreaks in the bbcode parser in such scenarios. Also remove an unused variable.
- github action updated with new ruleset in pint.json
- codebase linted with new ruleset
- contributors can now run `./vendor/bin/pint`
- action workflow will auto correct any lint issues upon commit/opened pull request
There are many cases where more flexible user input is desired. The output gets rendered through the Blade template anyway which escapes malicious input.
Initially, characters were only allowed when there was only one of them, so `[color=r]` would be accepted, but not `[color=red]`. This issue is now fixed.
Additionally, short hex codes with transparency (e.g. `[color=#0123]`) were also broken. This has now been fixed.
Color values such as rgb(), rgba(), hsl() and hsla() are intentionally unsupported to prevent feature creep.
