Removes query params from urls as set in config

docs/source/configuration.rst

@@ -836,6 +836,13 @@ Before version 1.0.3 Converse would ignore received messages if they were
 intended for a different resource then the current user had. It was decided to
 drop this restriction but leave it configurable.
 
+filter_url_query_params
+-----------------------
+
+* Default: ``null``
+
+Accepts a string or array of strings. Any query strings from URLs that match this setting will be removed.
+
 fullname
 --------
 

spec/messages.js

@@ -896,6 +896,29 @@ describe("A Chat Message", function () {
         done();
     }));
 
+    it("will remove url query parameters from hyperlinks as set",
+        mock.initConverse(
+            ['rosterGroupsFetched', 'chatBoxesFetched'], {},
+            async function (done, _converse) {
+
+        await mock.waitForRoster(_converse, 'current');
+        await mock.openControlBox(_converse);
+        const contact_jid = mock.cur_names[0].replace(/ /g,'.').toLowerCase() + '@montague.lit';
+        await mock.openChatBoxFor(_converse, contact_jid);
+        const view = _converse.api.chatviews.get(contact_jid);
+        _converse.api.settings.set('filter_url_query_params', ['utm_medium', 'utm_content', 's']);
+        const message = 'This message contains a hyperlink with forbidden query params: https://www.opkode.com/?id=0&utm_content=1&utm_medium=2&s=1';
+        spyOn(view.model, 'sendMessage').and.callThrough();
+        mock.sendMessage(view, message);
+        expect(view.model.sendMessage).toHaveBeenCalled();
+        await new Promise(resolve => view.model.messages.once('rendered', resolve));
+        const msg = sizzle('.chat-content .chat-msg:last .chat-msg__text', view.el).pop();
+        expect(msg.textContent).toEqual(message);
+        await u.waitUntil(() => msg.innerHTML.replace(/<!---->/g, '') ===
+            'This message contains a hyperlink with forbidden query params: <a target="_blank" rel="noopener" href="https://www.opkode.com/?id=0">https://www.opkode.com/?id=0</a>');
+        done();
+    }));
+
     it("will render newlines",
         mock.initConverse(
             ['rosterGroupsFetched', 'chatBoxesFetched'], {},

src/converse-chatview.js

@@ -52,6 +52,7 @@ converse.plugins.add('converse-chatview', {
         api.settings.extend({
             'auto_focus': true,
             'debounced_content_rendering': true,
+            'filter_url_query_params': null,
             'image_urls_regex': null,
             'message_limit': 0,
             'muc_hats_from_vcard': false,

src/templates/directives/body.js

@@ -117,12 +117,13 @@ function addHyperlinks (text, onImgLoad, onImgClick) {
     const show_images = api.settings.get('show_images_inline');
     objs.forEach(url_obj => {
         const url_text = text.slice(url_obj.start, url_obj.end);
+        const filtered_url = u.filterQueryParamsFromURL(url_text);
         text.addTemplateResult(
             url_obj.start,
             url_obj.end,
-            show_images && u.isImageURL(url_text) && u.isImageDomainAllowed(url_text)
-                ? u.convertToImageTag(url_text, onImgLoad, onImgClick)
-                : u.convertUrlToHyperlink(url_text)
+            show_images && u.isImageURL(url_text) && u.isImageDomainAllowed(url_text) ?
+                u.convertToImageTag(filtered_url, onImgLoad, onImgClick) :
+                u.convertUrlToHyperlink(filtered_url),
         );
     });
 }

src/utils/html.js

@@ -352,6 +352,13 @@ u.convertUrlToHyperlink = function (url) {
     return url;
 };
 
+u.filterQueryParamsFromURL = function (url) {
+    const paramsArray = api.settings.get("filter_url_query_params");
+    if (!paramsArray) return url;
+    const parsed_uri = getURI(url);
+    return parsed_uri.removeQuery(paramsArray).toString();
+};
+
 u.addHyperlinks = function (text) {
     const objs = [];
     const parse_options = { 'start': /\b(?:([a-z][a-z0-9.+-]*:\/\/)|xmpp:|mailto:|www\.)/gi };