fix(string utils): do not escape possible regular expressions

test/api/unit/libs/stringUtils.test.js

@@ -0,0 +1,12 @@
+import { getMatchesByWordArray } from '../../../../website/server/libs/stringUtils';
+import bannedWords from '../../../../website/server/libs/bannedWords';
+
+describe('stringUtils', () => {
+  describe('getMatchesByWordArray', () => {
+    it('check all banned words are matched', async () => {
+      const message = bannedWords.join(',');
+      const matches = getMatchesByWordArray(message, bannedWords);
+      expect(matches.length).to.equal(bannedWords.length);
+    });
+  });
+});

test/api/v3/integration/chat/POST-chat.test.js

@@ -14,8 +14,6 @@ import {
   TAVERN_ID,
 } from '../../../../../website/server/models/group';
 import { CHAT_FLAG_FROM_SHADOW_MUTE, MAX_MESSAGE_LENGTH } from '../../../../../website/common/script/constants';
-import { getMatchesByWordArray } from '../../../../../website/server/libs/stringUtils';
-import bannedWords from '../../../../../website/server/libs/bannedWords';
 import guildsAllowingBannedWords from '../../../../../website/server/libs/guildsAllowingBannedWords';
 import * as email from '../../../../../website/server/libs/email';
 
@@ -292,12 +290,6 @@ describe('POST /chat', () => {
         .that.includes(testBannedWords.join(', '));
     });
 
-    it('check all banned words are matched', async () => {
-      const message = bannedWords.join(',').replace(/\\/g, '');
-      const matches = getMatchesByWordArray(message, bannedWords);
-      expect(matches.length).to.equal(bannedWords.length);
-    });
-
     it('does not error when bad word is suffix of a word', async () => {
       const wordAsSuffix = `prefix${testBannedWordMessage}`;
       const message = await user.post('/groups/habitrpg/chat', { message: wordAsSuffix });

website/server/libs/stringUtils.js

@@ -1,15 +1,12 @@
-import escapeRegExp from 'lodash/escapeRegExp';
-
 export function removePunctuationFromString (str) {
   return str.replace(/[.,/#!@$%^&;:{}=\-_`~()]/g, ' ');
 }
 
+// NOTE: the wordsToMatch aren't escaped in order to support regular expressions,
+// so this method should not be used if wordsToMatch contains unsanitized user input
 export function getMatchesByWordArray (str, wordsToMatch) {
   const matchedWords = [];
-  const wordRegexs = wordsToMatch.map(word => {
+  const wordRegexs = wordsToMatch.map(word => new RegExp(`\\b([^a-z]+)?${word}([^a-z]+)?\\b`, 'i'));
-    const escapedWord = escapeRegExp(word);
-    return new RegExp(`\\b([^a-z]+)?${escapedWord}([^a-z]+)?\\b`, 'i');
-  });
   for (let i = 0; i < wordRegexs.length; i += 1) {
     const regEx = wordRegexs[i];
     const match = str.match(regEx);

website/server/libs/user/validation.js

@@ -1,12 +1,8 @@
-import escapeRegExp from 'lodash/escapeRegExp';
 import bannedSlurs from '../bannedSlurs';
 import { getMatchesByWordArray } from '../stringUtils';
 import forbiddenUsernames from '../forbiddenUsernames';
 
-const bannedSlurRegexs = bannedSlurs.map(word => {
+const bannedSlurRegexs = bannedSlurs.map(word => new RegExp(`.*${word}.*`, 'i'));
-  const escapedWord = escapeRegExp(word);
-  return new RegExp(`.*${escapedWord}.*`, 'i');
-});
 
 export function nameContainsSlur (username) {
   for (let i = 0; i < bannedSlurRegexs.length; i += 1) {