ChatMessagesHandling: Strip HTML of incoming messages.

2 files changed, 5 insertions, 0 deletions

diff --git a/lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex b/lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex
index 815b866c9..11bd10456 100644
--- a/lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex
@@ -19,6 +19,9 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier.ChatMessageHandling do
          {_, {:ok, object_cast_data_sym}} <-
            {:casting_object_data, object_data |> ChatMessageValidator.cast_and_apply()},
          object_cast_data = ObjectValidator.stringify_keys(object_cast_data_sym),
+         # For now, just strip HTML
+         stripped_content = Pleroma.HTML.strip_tags(object_cast_data["content"]),
+         object_cast_data = object_cast_data |> Map.put("content", stripped_content),
          {_, {:ok, validated_object, _meta}} <-
            {:validate_object, ObjectValidator.validate(object_cast_data, %{})},
          {_, {:ok, _created_object}} <- {:persist_object, Object.create(validated_object)},
diff --git a/test/web/activity_pub/transmogrifier/chat_message_test.exs b/test/web/activity_pub/transmogrifier/chat_message_test.exs
index 5b238f9c4..7e7f9ebec 100644
--- a/test/web/activity_pub/transmogrifier/chat_message_test.exs
+++ b/test/web/activity_pub/transmogrifier/chat_message_test.exs
@@ -56,7 +56,9 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier.ChatMessageTest do
       assert activity.recipients == [recipient.ap_id, author.ap_id]
 
       %Object{} = object = Object.get_by_ap_id(activity.data["object"])
+
       assert object
+      assert object.data["content"] == "You expected a cute girl? Too bad. alert(&#39;XSS&#39;)"
     end
   end
 end