From 903f7c7d1584164f033fe4413a385c28949fae6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Ku=C3=9Fowski?= Date: Mon, 1 Dec 2025 14:44:29 +0100 Subject: [PATCH 1/4] fix: Render not permitted html tags as text instead of hiding --- lib/pages/chat/events/html_message.dart | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/lib/pages/chat/events/html_message.dart b/lib/pages/chat/events/html_message.dart index 3f82806b5..fcf1dd2c4 100644 --- a/lib/pages/chat/events/html_message.dart +++ b/lib/pages/chat/events/html_message.dart @@ -156,8 +156,8 @@ class HtmlMessage extends StatelessWidget { // We must not render elements nested more than 100 elements deep: if (depth >= 100) return const TextSpan(); - // This is a text node, so we render it as text: - if (node is! dom.Element) { + // This is a text node or not permitted node, so we render it as text: + if (node is! dom.Element || !allowedHtmlTags.contains(node.localName)) { var text = node.text ?? ''; // Single linebreak nodes between Elements are ignored: if (text == '\n') text = ''; @@ -170,9 +170,6 @@ class HtmlMessage extends StatelessWidget { ); } - // We must not render tags which are not in the allow list: - if (!allowedHtmlTags.contains(node.localName)) return const TextSpan(); - switch (node.localName) { case 'br': return const TextSpan(text: '\n'); From 3b181291cc91a536ea2b418171f184cf83bb9dce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Ku=C3=9Fowski?= Date: Mon, 1 Dec 2025 14:44:37 +0100 Subject: [PATCH 2/4] fix: Do not render html in unformatted messages --- lib/pages/chat/events/message_content.dart | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/pages/chat/events/message_content.dart b/lib/pages/chat/events/message_content.dart index 792c63814..5cfd55c28 100644 --- a/lib/pages/chat/events/message_content.dart +++ b/lib/pages/chat/events/message_content.dart @@ -241,7 +241,7 @@ class MessageContent extends StatelessWidget { } var html = AppSettings.renderHtml.value && event.isRichMessage ? event.formattedText - : event.body; + : event.body.replaceAll('<', '<').replaceAll('>', '>'); if (event.messageType == MessageTypes.Emote) { html = '* $html'; } From 86a73f9909b35abcbdaefded2aceee29c149cf2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Ku=C3=9Fowski?= Date: Tue, 2 Dec 2025 09:20:32 +0100 Subject: [PATCH 3/4] chore: Follow up html tag rendering --- lib/pages/chat/events/html_message.dart | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/pages/chat/events/html_message.dart b/lib/pages/chat/events/html_message.dart index fcf1dd2c4..f6cb99003 100644 --- a/lib/pages/chat/events/html_message.dart +++ b/lib/pages/chat/events/html_message.dart @@ -86,10 +86,10 @@ class HtmlMessage extends StatelessWidget { 'rt', 'html', 'body', - // Workaround for https://github.com/krille-chan/fluffychat/issues/507 - 'tg-forward', }; + static const Set ignoredHtmlTags = {'mx-reply'}; + /// We add line breaks before these tags: static const Set blockHtmlTags = { 'p', @@ -170,6 +170,8 @@ class HtmlMessage extends StatelessWidget { ); } + if (ignoredHtmlTags.contains(node.localName)) return const TextSpan(); + switch (node.localName) { case 'br': return const TextSpan(text: '\n'); From 89a167dc5713b9a50d71e9514da2f8e08f42ff8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20Ku=C3=9Fowski?= Date: Tue, 2 Dec 2025 11:06:41 +0100 Subject: [PATCH 4/4] chore: Follow up html rendering --- lib/pages/chat/events/html_message.dart | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/lib/pages/chat/events/html_message.dart b/lib/pages/chat/events/html_message.dart index f6cb99003..51defb5f5 100644 --- a/lib/pages/chat/events/html_message.dart +++ b/lib/pages/chat/events/html_message.dart @@ -156,6 +156,11 @@ class HtmlMessage extends StatelessWidget { // We must not render elements nested more than 100 elements deep: if (depth >= 100) return const TextSpan(); + if (node is dom.Element && + ignoredHtmlTags.contains(node.localName?.toLowerCase())) { + return const TextSpan(); + } + // This is a text node or not permitted node, so we render it as text: if (node is! dom.Element || !allowedHtmlTags.contains(node.localName)) { var text = node.text ?? ''; @@ -170,8 +175,6 @@ class HtmlMessage extends StatelessWidget { ); } - if (ignoredHtmlTags.contains(node.localName)) return const TextSpan(); - switch (node.localName) { case 'br': return const TextSpan(text: '\n'); @@ -260,13 +263,15 @@ class HtmlMessage extends StatelessWidget { child: Text.rich( TextSpan( children: [ - if (node.parent?.localName == 'ul') - const TextSpan(text: '• '), - if (node.parent?.localName == 'ol') - TextSpan( - text: - '${(node.parent?.nodes.whereType().toList().indexOf(node) ?? 0) + (int.tryParse(node.parent?.attributes['start'] ?? '1') ?? 1)}. ', - ), + if (!isCheckbox) ...[ + if (node.parent?.localName == 'ul') + const TextSpan(text: '• '), + if (node.parent?.localName == 'ol') + TextSpan( + text: + '${(node.parent?.nodes.whereType().toList().indexOf(node) ?? 0) + (int.tryParse(node.parent?.attributes['start'] ?? '1') ?? 1)}. ', + ), + ], if (node.className == 'task-list-item') WidgetSpan( child: Padding(