From 6877b9943539b4e0900ad65d4ae77a861d3d8b97 Mon Sep 17 00:00:00 2001
From: Luke Barnard <lukeb@openmarket.com>
Date: Mon, 10 Jul 2017 17:44:49 +0100
Subject: [PATCH] Strip `<img src="https?://..">`s when transforming `img`s
 instead of using `allowedSchemesByTag`

---
 src/HtmlUtils.js | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/HtmlUtils.js b/src/HtmlUtils.js
index 95e698d6e5..1036fbf663 100644
--- a/src/HtmlUtils.js
+++ b/src/HtmlUtils.js
@@ -151,9 +151,6 @@ const sanitizeHtmlParams = {
     // URL schemes we permit
     allowedSchemes: ['http', 'https', 'ftp', 'mailto'],
 
-    allowedSchemesByTag: {
-        img: ['http', 'https'],
-    },
     allowProtocolRelative: false,
 
     transformTags: { // custom to matrix
@@ -187,13 +184,14 @@ const sanitizeHtmlParams = {
             return { tagName: tagName, attribs : attribs };
         },
         'img': function(tagName, attribs) {
-            if (attribs.src.startsWith('mxc://')) {
-                attribs.src = MatrixClientPeg.get().mxcUrlToHttp(
-                    attribs.src,
-                    attribs.width || 800,
-                    attribs.height || 600,
-                );
+            if (!attribs.src.startsWith('mxc://')) {
+                return { tagName, attribs: {}};
             }
+            attribs.src = MatrixClientPeg.get().mxcUrlToHttp(
+                attribs.src,
+                attribs.width || 800,
+                attribs.height || 600,
+            );
             return { tagName: tagName, attribs: attribs };
         },
         'code': function(tagName, attribs) {