From 1f52db67aa4f88723610ab6bfbb9cbd7b8cbadc0 Mon Sep 17 00:00:00 2001
From: KMY <tt@kmycode.net>
Date: Tue, 7 Mar 2023 12:01:59 +0900
Subject: [PATCH] Fix to counter phising attacks from misskey

---
 app/javascript/styles/mastodon/rich_text.scss |  7 +++++++
 app/lib/text_formatter.rb                     |  1 -
 lib/sanitize_ext/sanitize_config.rb           | 21 +++++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/app/javascript/styles/mastodon/rich_text.scss b/app/javascript/styles/mastodon/rich_text.scss
index 334ba98425..0ed2378192 100644
--- a/app/javascript/styles/mastodon/rich_text.scss
+++ b/app/javascript/styles/mastodon/rich_text.scss
@@ -91,6 +91,13 @@
   sup {
     vertical-align: super;
   }
+
+}
+
+.status__content__text {
+  a.kmy-dangerous-link {
+    color: red !important;
+  }
 }
 
 .reply-indicator__content {
diff --git a/app/lib/text_formatter.rb b/app/lib/text_formatter.rb
index 39a0c060fd..980e783ff9 100644
--- a/app/lib/text_formatter.rb
+++ b/app/lib/text_formatter.rb
@@ -44,7 +44,6 @@ class TextFormatter
     end
 
     # line first letter for blockquote
-    p 'DEBUG  ' + html.gsub(/^gt;/, '>')
     html = markdownify(html.gsub(/^&gt;/, '>'))
 
     # html = simple_format(html, {}, sanitize: false).delete("\n") if multiline?
diff --git a/lib/sanitize_ext/sanitize_config.rb b/lib/sanitize_ext/sanitize_config.rb
index 9cc500c36e..e976dbc9f4 100644
--- a/lib/sanitize_ext/sanitize_config.rb
+++ b/lib/sanitize_ext/sanitize_config.rb
@@ -50,6 +50,26 @@ class Sanitize
       current_node.replace(Nokogiri::XML::Text.new(current_node.text, current_node.document)) unless LINK_PROTOCOLS.include?(scheme)
     end
 
+    PHISHING_SCAM_HREF_TRANSFORMER = lambda do |env|
+      return unless env[:node_name] == 'a'
+
+      current_node = env[:node]
+      href = current_node['href']
+      text = current_node.text
+      cls = current_node['class'] || ''
+
+      scheme = if current_node['href'] =~ Sanitize::REGEX_PROTOCOL
+                 Regexp.last_match(1).downcase
+               else
+                 :relative
+               end
+
+      if LINK_PROTOCOLS.include?(scheme) && href != text
+        current_node['class'] = cls + ' kmy-dangerous-link'
+        current_node.before(Nokogiri::XML::Text.new('⚠', current_node.document))
+      end
+    end
+
     UNSUPPORTED_ELEMENTS_TRANSFORMER = lambda do |env|
       return unless %w(h1 h2 h3 h4 h5 h6).include?(env[:node_name])
 
@@ -82,6 +102,7 @@ class Sanitize
         CLASS_WHITELIST_TRANSFORMER,
         UNSUPPORTED_ELEMENTS_TRANSFORMER,
         UNSUPPORTED_HREF_TRANSFORMER,
+        PHISHING_SCAM_HREF_TRANSFORMER,
       ]
     )