static_fe: Sanitize HTML in posts
Note: Seems to have different sanitization with TwitterCard generator giving the following: <meta content=\"“alert('xss')”\" property=\"twitter:description\">
This commit is contained in:
parent
fa4ec17c84
commit
0ac6e29654
|
@ -58,10 +58,17 @@ defp represent(%Activity{object: %Object{data: data}} = activity, selected) do
|
||||||
_ -> data["url"] || data["external_url"] || data["id"]
|
_ -> data["url"] || data["external_url"] || data["id"]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
content =
|
||||||
|
if data["content"] do
|
||||||
|
Pleroma.HTML.filter_tags(data["content"])
|
||||||
|
else
|
||||||
|
nil
|
||||||
|
end
|
||||||
|
|
||||||
%{
|
%{
|
||||||
user: user,
|
user: user,
|
||||||
title: get_title(activity.object),
|
title: get_title(activity.object),
|
||||||
content: data["content"] || nil,
|
content: content,
|
||||||
attachment: data["attachment"],
|
attachment: data["attachment"],
|
||||||
link: link,
|
link: link,
|
||||||
published: data["published"],
|
published: data["published"],
|
||||||
|
|
|
@ -92,6 +92,19 @@ test "single notice page", %{conn: conn, user: user} do
|
||||||
assert html =~ "testing a thing!"
|
assert html =~ "testing a thing!"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "filters HTML tags", %{conn: conn} do
|
||||||
|
user = insert(:user)
|
||||||
|
{:ok, activity} = CommonAPI.post(user, %{"status" => "<script>alert('xss')</script>"})
|
||||||
|
|
||||||
|
conn =
|
||||||
|
conn
|
||||||
|
|> put_req_header("accept", "text/html")
|
||||||
|
|> get("/notice/#{activity.id}")
|
||||||
|
|
||||||
|
html = html_response(conn, 200)
|
||||||
|
assert html =~ ~s[<script>alert('xss')</script>]
|
||||||
|
end
|
||||||
|
|
||||||
test "shows the whole thread", %{conn: conn, user: user} do
|
test "shows the whole thread", %{conn: conn, user: user} do
|
||||||
{:ok, activity} = CommonAPI.post(user, %{"status" => "space: the final frontier"})
|
{:ok, activity} = CommonAPI.post(user, %{"status" => "space: the final frontier"})
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue