From 9afb1586cd79be237ef72878f89e28fe43b47545 Mon Sep 17 00:00:00 2001
From: George Goldberg <george@gberg.me>
Date: Wed, 28 Nov 2018 10:58:12 +0000
Subject: [PATCH] MM-12648: Properly unescape OpenGraph metadata containing
 HTML entities. (#9891)

---
 app/opengraph.go      | 11 ++++++++++-
 app/opengraph_test.go | 12 ++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/app/opengraph.go b/app/opengraph.go
index 619542549a..d99a150d67 100644
--- a/app/opengraph.go
+++ b/app/opengraph.go
@@ -4,12 +4,14 @@
 package app
 
 import (
+	"html"
 	"io"
 	"net/url"
 
 	"github.com/dyatlov/go-opengraph/opengraph"
-	"github.com/mattermost/mattermost-server/mlog"
 	"golang.org/x/net/html/charset"
+
+	"github.com/mattermost/mattermost-server/mlog"
 )
 
 func (a *App) GetOpenGraphMetadata(requestURL string) *opengraph.OpenGraph {
@@ -34,6 +36,8 @@ func (a *App) ParseOpenGraphMetadata(requestURL string, body io.Reader, contentT
 
 	makeOpenGraphURLsAbsolute(og, requestURL)
 
+	openGraphDecodeHtmlEntities(og)
+
 	// If image proxy enabled modify open graph data to feed though proxy
 	if toProxyURL := a.ImageProxyAdder(); toProxyURL != nil {
 		og = OpenGraphDataWithProxyAddedToImageURLs(og, toProxyURL)
@@ -114,3 +118,8 @@ func OpenGraphDataWithProxyAddedToImageURLs(ogdata *opengraph.OpenGraph, toProxy
 
 	return ogdata
 }
+
+func openGraphDecodeHtmlEntities(og *opengraph.OpenGraph) {
+	og.Title = html.UnescapeString(og.Title)
+	og.Description = html.UnescapeString(og.Description)
+}
diff --git a/app/opengraph_test.go b/app/opengraph_test.go
index 78e9de17d0..867f02ea14 100644
--- a/app/opengraph_test.go
+++ b/app/opengraph_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/dyatlov/go-opengraph/opengraph"
+	"github.com/stretchr/testify/assert"
 )
 
 func BenchmarkForceHTMLEncodingToUTF8(b *testing.B) {
@@ -127,3 +128,14 @@ func TestMakeOpenGraphURLsAbsolute(t *testing.T) {
 		})
 	}
 }
+
+func TestOpenGraphDecodeHtmlEntities(t *testing.T) {
+	og := opengraph.NewOpenGraph()
+	og.Title = "Test&#39;s are the best.&copy;"
+	og.Description = "Test&#39;s are the worst.&copy;"
+
+	openGraphDecodeHtmlEntities(og)
+
+	assert.Equal(t, og.Title, "Test's are the best.©")
+	assert.Equal(t, og.Description, "Test's are the worst.©")
+}