From d9acaa2148a3d256207c1aea2cc6b4900f1fbdb1 Mon Sep 17 00:00:00 2001
From: Jayden Bailey <jaydenkieran@gmail.com>
Date: Tue, 4 May 2021 16:25:04 +0100
Subject: [PATCH] [backport] Sanitise summary/reason text input (closes #13)

---
 src/DiscordHooks.php | 20 ++++++++++----------
 src/Utils.php        |  9 +++++++++
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/src/DiscordHooks.php b/src/DiscordHooks.php
index 74ae20b..53e1e38 100644
--- a/src/DiscordHooks.php
+++ b/src/DiscordHooks.php
@@ -47,7 +47,7 @@ class DiscordHooks {
 		$msg = wfMessage( $msgKey, DiscordUtils::createUserLinks( $user ),
 			DiscordUtils::createMarkdownLink( $wikiPage->getTitle(), $wikiPage->getTitle()->getFullUrl( '', '', $proto = PROTO_HTTP ) ),
 			DiscordUtils::createRevisionText( $revision ),
-			( $summary ? ('`' . DiscordUtils::truncateText( $summary ) . '`' ) : '' ) )->plain();
+			( $summary ? ('`' . DiscordUtils::sanitiseText( DiscordUtils::truncateText( $summary ) ) . '`' ) : '' ) )->plain();
 		DiscordUtils::handleDiscord(':pencil2:', $msg);
 		return true;
 	}
@@ -70,7 +70,7 @@ class DiscordHooks {
 
 		$msg = wfMessage( 'discord-articledelete', DiscordUtils::createUserLinks( $user ),
 			DiscordUtils::createMarkdownLink( $article->getTitle(), $article->getTitle()->getFullUrl( '', '', $proto = PROTO_HTTP ) ),
-			( $reason ? ('`' . DiscordUtils::truncateText( $reason ) . '`' ) : '' ),
+			( $reason ? ('`' . DiscordUtils::sanitiseText( DiscordUtils::truncateText( $reason ) ) . '`' ) : '' ),
 			$archivedRevisionCount)->plain();
 		DiscordUtils::handleDiscord(':wastebasket:', $msg);
 		return true;
@@ -97,7 +97,7 @@ class DiscordHooks {
 		$msg = wfMessage( 'discord-articleundelete', DiscordUtils::createUserLinks( $user ),
 			($create ? '' : wfMessage( 'discord-undeleterev' )->text() ),
 			DiscordUtils::createMarkdownLink( $title, $title->getFullUrl( '', '', $proto = PROTO_HTTP ) ),
-			( $comment ? ('`' . DiscordUtils::truncateText( $comment ) . '`' ) : '' ))->plain();
+			( $comment ? ('`' . DiscordUtils::sanitiseText( DiscordUtils::truncateText( $comment ) ) . '`' ) : '' ))->plain();
 		DiscordUtils::handleDiscord(':wastebasket:', $msg);
 		return true;
 	}
@@ -145,7 +145,7 @@ class DiscordHooks {
 
 		$msg = wfMessage( 'discord-articleprotect', DiscordUtils::createUserLinks( $user ),
 			DiscordUtils::createMarkdownLink( $article->getTitle(), $article->getTitle()->getFullUrl( '', '', $proto = PROTO_HTTP ) ),
-			( $reason ? ('`' . DiscordUtils::truncateText( $reason ) . '`' ) : '' ),
+			( $reason ? ('`' . DiscordUtils::sanitiseText( DiscordUtils::truncateText( $reason ) ) . '`' ) : '' ),
 			implode(", ", $protect) )->plain();
 		DiscordUtils::handleDiscord(':lock:', $msg);
 		return true;
@@ -170,7 +170,7 @@ class DiscordHooks {
 		$msg = wfMessage( 'discord-titlemove', DiscordUtils::createUserLinks( $user ),
 			DiscordUtils::createMarkdownLink( $title, $title->getFullUrl( '', '', $proto = PROTO_HTTP ) ),
 			DiscordUtils::createMarkdownLink( $newTitle, $newTitle->getFullUrl( '', '', $proto = PROTO_HTTP ) ),
-			( $reason ? ('`' . DiscordUtils::truncateText( $reason ) . '`' ) : '' ),
+			( $reason ? ('`' . DiscordUtils::sanitiseText( DiscordUtils::truncateText( $reason ) ) . '`' ) : '' ),
 			DiscordUtils::createRevisionText( $revision ) )->plain();
 		DiscordUtils::handleDiscord(':truck:', $msg);
 		return true;
@@ -207,7 +207,7 @@ class DiscordHooks {
 		}
 
 		$msg = wfMessage( 'discord-blockipcomplete', DiscordUtils::createUserLinks( $user ), DiscordUtils::createUserLinks( $block->getTarget() ),
-			( $block->mReason ? ('`' . DiscordUtils::truncateText( $block->mReason ) . '`' ) : '' ),
+			( $block->mReason ? ('`' . DiscordUtils::sanitiseText( DiscordUtils::truncateText( $block->mReason ) ) . '`' ) : '' ),
 			$expiryMsg )->plain();
 		DiscordUtils::handleDiscord(':no_entry_sign:', $msg);
 		return true;
@@ -243,7 +243,7 @@ class DiscordHooks {
 
 		$msg = wfMessage( 'discord-usergroupschanged', DiscordUtils::createUserLinks( $performer ),
 			DiscordUtils::createUserLinks( $user ),
-			( $reason ? ('`' . DiscordUtils::truncateText( $reason ) . '`' ) : '' ),
+			( $reason ? ('`' . DiscordUtils::sanitiseText( DiscordUtils::truncateText( $reason ) ) . '`' ) : '' ),
 			( ( count($added) > 0 ) ? ( '+ ' . join(', ', $added) ) : ''),
 			( ( count($removed) > 0 ) ? ( '- ' . join(', ', $removed) ) : '' ) )->plain();
 		DiscordUtils::handleDiscord(':people_holding_hands:', $msg);
@@ -275,7 +275,7 @@ class DiscordHooks {
 		$msg = wfMessage( 'discord-uploadcomplete', DiscordUtils::createUserLinks( $user ),
 			( $isNewRevision ? wfMessage( 'discord-uploadnewver' )->text() : '' ),
 			DiscordUtils::createMarkdownLink( $lf->getName(), $lf->getTitle()->getFullUrl( '', '', $proto = PROTO_HTTP ) ), 
-			( $comment ? ('`' . DiscordUtils::truncateText( $comment ) . '`' ) : '' ),
+			( $comment ? ('`' . DiscordUtils::sanitiseText( DiscordUtils::truncateText( $comment ) ) . '`' ) : '' ),
 			DiscordUtils::formatBytes($lf->getSize()),
 			$lf->getWidth(),
 			$lf->getHeight(),
@@ -307,7 +307,7 @@ class DiscordHooks {
 
 		$msg = wfMessage( 'discord-filedeletecomplete', DiscordUtils::createUserLinks( $user ),
 			DiscordUtils::createMarkdownLink( $file->getName(), $file->getTitle()->getFullUrl( '', '', $proto = PROTO_HTTP ) ),
-			( $reason ? ('`' . DiscordUtils::truncateText( $reason ) . '`' ) : '' ) )->plain();
+			( $reason ? ('`' . DiscordUtils::sanitiseText( DiscordUtils::truncateText( $reason ) ) . '`' ) : '' ) )->plain();
 		DiscordUtils::handleDiscord(':wastebasket:', $msg);
 		return true;
 	}
@@ -330,7 +330,7 @@ class DiscordHooks {
 
 		$msg = wfMessage( 'discord-fileundeletecomplete', DiscordUtils::createUserLinks( $user ),
 			DiscordUtils::createMarkdownLink( $title, $title->getFullUrl( '', '', $proto = PROTO_HTTP ) ),
-			( $reason ? ('`' . DiscordUtils::truncateText( $reason ) . '`' ) : '' ) )->plain();
+			( $reason ? ('`' . DiscordUtils::sanitiseText( DiscordUtils::truncateText( $reason ) ) . '`' ) : '' ) )->plain();
 		DiscordUtils::handleDiscord(':wastebasket:', $msg);
 		return true;
 	}
diff --git a/src/Utils.php b/src/Utils.php
index 36ce553..b203f3d 100644
--- a/src/Utils.php
+++ b/src/Utils.php
@@ -235,6 +235,15 @@ class DiscordUtils {
 		}
 		return $text;
 	}
+
+	/**
+	 * Sanitise text input, including removing the potential for abuse
+	 * of Discord's @everyone and @here pings
+	 */
+	public static function sanitiseText($text) {
+		$text = preg_replace('/(`|@)/', '', $text);
+		return $text;
+	}
 }
 
 ?>