diff options
| author | Roger Braun <roger@rogerbraun.net> | 2017-06-18 13:40:35 +0200 |
|---|---|---|
| committer | Roger Braun <roger@rogerbraun.net> | 2017-06-18 13:40:35 +0200 |
| commit | 8feec8d390f34114c5f42faf366f899a2b4af9fb (patch) | |
| tree | e613c70ac9ae5b8e838fc6cb2ec60403b8389eb3 | |
| parent | a9bfbcae800e88b85814c718b0c4bfa9d8dfcfaa (diff) | |
| download | pleroma-8feec8d390f34114c5f42faf366f899a2b4af9fb.tar.gz | |
Strip unsafe html on output in TwAPI.
| -rw-r--r-- | lib/pleroma/web/twitter_api/representers/activity_representer.ex | 2 | ||||
| -rw-r--r-- | test/web/twitter_api/representers/activity_representer_test.exs | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/lib/pleroma/web/twitter_api/representers/activity_representer.ex b/lib/pleroma/web/twitter_api/representers/activity_representer.ex index ade200268..6f22e45fa 100644 --- a/lib/pleroma/web/twitter_api/representers/activity_representer.ex +++ b/lib/pleroma/web/twitter_api/representers/activity_representer.ex @@ -105,7 +105,7 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ActivityRepresenter do "id" => activity.id, "user" => UserRepresenter.to_map(user, opts), "attentions" => [], - "statusnet_html" => content, + "statusnet_html" => HtmlSanitizeEx.basic_html(content), "text" => HtmlSanitizeEx.strip_tags(content), "is_local" => true, "is_post_verb" => true, diff --git a/test/web/twitter_api/representers/activity_representer_test.exs b/test/web/twitter_api/representers/activity_representer_test.exs index dce6025c4..022595b91 100644 --- a/test/web/twitter_api/representers/activity_representer_test.exs +++ b/test/web/twitter_api/representers/activity_representer_test.exs @@ -67,7 +67,7 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ActivityRepresenterTest do } } - content_html = "Some #content #mentioning <a href='#{mentioned_user.ap_id}'>@shp</shp>" + content_html = "<script>alert('YAY')</script>Some #content #mentioning <a href='#{mentioned_user.ap_id}'>@shp</a>" content = HtmlSanitizeEx.strip_tags(content_html) date = DateTime.from_naive!(~N[2016-05-24 13:26:08.003], "Etc/UTC") |> DateTime.to_iso8601 @@ -108,7 +108,7 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ActivityRepresenterTest do "user" => UserRepresenter.to_map(user, %{for: follower}), "is_local" => true, "attentions" => [], - "statusnet_html" => content_html <> "<br>\n#nsfw", + "statusnet_html" => HtmlSanitizeEx.basic_html(content_html) <> "<br />\n#nsfw", "text" => content <> "\n#nsfw", "is_post_verb" => true, "created_at" => "Tue May 24 13:26:08 +0000 2016", |