Merge branch 'sanitize-bio' into 'develop'

mastodon api: sanitize the bio HTML

See merge request pleroma/pleroma!282

2 files changed, 3 insertions, 2 deletions

diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex
index cc5261616..d9edcae7f 100644
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@@ -36,7 +36,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
       followers_count: user_info.follower_count,
       following_count: user_info.following_count,
       statuses_count: user_info.note_count,
-      note: user.bio || "",
+      note: HtmlSanitizeEx.basic_html(user.bio) || "",
       url: user.ap_id,
       avatar: image,
       avatar_static: image,
diff --git a/test/web/mastodon_api/account_view_test.exs b/test/web/mastodon_api/account_view_test.exs
index 8bf194e6b..35c8a1fb0 100644
--- a/test/web/mastodon_api/account_view_test.exs
+++ b/test/web/mastodon_api/account_view_test.exs
@@ -20,6 +20,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
         info: %{"note_count" => 5, "follower_count" => 3, "source_data" => source_data},
         nickname: "shp@shitposter.club",
         name: ":karjalanpiirakka: shp",
+        bio: "<script src=\"invalid-html\"></script><span>valid html</span>",
         inserted_at: ~N[2017-08-15 15:47:06.597036]
       })
 
@@ -33,7 +34,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
       followers_count: 3,
       following_count: 0,
       statuses_count: 5,
-      note: user.bio,
+      note: "<span>valid html</span>",
       url: user.ap_id,
       avatar: "http://localhost:4001/images/avi.png",
       avatar_static: "http://localhost:4001/images/avi.png",