From 35f2202e9054fb3f474a7c930851ec51086d781f Mon Sep 17 00:00:00 2001
From: Sorunome <mail@sorunome.de>
Date: Sun, 5 Jul 2020 18:41:27 +0200
Subject: [PATCH] Strip reply fallback before passing to html renderer

---
 lib/components/html_message.dart | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/components/html_message.dart b/lib/components/html_message.dart
index ece16a8..2008ee0 100644
--- a/lib/components/html_message.dart
+++ b/lib/components/html_message.dart
@@ -21,11 +21,19 @@ class HtmlMessage extends StatelessWidget {
 
   @override
   Widget build(BuildContext context) {
+    // riot-web is notorious for creating bad reply fallback events from invalid messages which, if
+    // not handled properly, can lead to impersination. As such, we strip the entire `<mx-reply>` tags
+    // here already, to prevent that from happening.
+    // We do *not* do this in an AST and just with simple regex here, as riot-web tends to create
+    // miss-matching tags, and this way we actually correctly identify what we want to strip and, well,
+    // strip it.
+    final renderHtml = html.replaceAll(RegExp('<mx-reply>.*<\/mx-reply>'), '');
+
     // there is no need to pre-validate the html, as we validate it while rendering
 
     final themeData = Theme.of(context);
     return Html(
-      data: html,
+      data: renderHtml,
       defaultTextStyle: defaultTextStyle,
       linkStyle: linkStyle ??
           themeData.textTheme.bodyText2.copyWith(