ChatMessagesHandling: Strip HTML of incoming messages.
This commit is contained in:
parent
41fdcb7282
commit
e983f70884
|
@ -19,6 +19,9 @@ def handle_incoming(
|
|||
{_, {:ok, object_cast_data_sym}} <-
|
||||
{:casting_object_data, object_data |> ChatMessageValidator.cast_and_apply()},
|
||||
object_cast_data = ObjectValidator.stringify_keys(object_cast_data_sym),
|
||||
# For now, just strip HTML
|
||||
stripped_content = Pleroma.HTML.strip_tags(object_cast_data["content"]),
|
||||
object_cast_data = object_cast_data |> Map.put("content", stripped_content),
|
||||
{_, {:ok, validated_object, _meta}} <-
|
||||
{:validate_object, ObjectValidator.validate(object_cast_data, %{})},
|
||||
{_, {:ok, _created_object}} <- {:persist_object, Object.create(validated_object)},
|
||||
|
|
|
@ -56,7 +56,9 @@ test "it inserts it and creates a chat" do
|
|||
assert activity.recipients == [recipient.ap_id, author.ap_id]
|
||||
|
||||
%Object{} = object = Object.get_by_ap_id(activity.data["object"])
|
||||
|
||||
assert object
|
||||
assert object.data["content"] == "You expected a cute girl? Too bad. alert('XSS')"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue