diff options
| author | kaniini <nenolod@gmail.com> | 2019-04-23 23:07:56 +0000 |
|---|---|---|
| committer | kaniini <nenolod@gmail.com> | 2019-04-23 23:07:56 +0000 |
| commit | 030a7876b42a0c925fd52474de514ae5e9171e55 (patch) | |
| tree | 6a66d89ea23d49ccac40add027edffa08fdc165c /lib | |
| parent | 3789945784a331790d73f69b407751df9f7d6e8f (diff) | |
| parent | f5535e5743f755c66dcf92a8d4d2c06520cb72c8 (diff) | |
| download | pleroma-030a7876b42a0c925fd52474de514ae5e9171e55.tar.gz | |
Merge branch 'security/fix-html-class-scrubbing' into 'develop'
html: lock down allowed class attributes to only those related to microformats
See merge request pleroma/pleroma!1090
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/html.ex | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/lib/pleroma/html.ex b/lib/pleroma/html.ex index 4b42d8c9b..cf6c0ee0a 100644 --- a/lib/pleroma/html.ex +++ b/lib/pleroma/html.ex @@ -106,7 +106,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do # links Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes) - Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"]) + + Meta.allow_tag_with_this_attribute_values("a", "class", [ + "hashtag", + "u-url", + "mention", + "u-url mention", + "mention u-url" + ]) Meta.allow_tag_with_this_attribute_values("a", "rel", [ "tag", @@ -115,12 +122,15 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do "noreferrer" ]) + Meta.allow_tag_with_these_attributes("a", ["name", "title"]) + # paragraphs and linebreaks Meta.allow_tag_with_these_attributes("br", []) Meta.allow_tag_with_these_attributes("p", []) # microformats - Meta.allow_tag_with_these_attributes("span", ["class"]) + Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"]) + Meta.allow_tag_with_these_attributes("span", []) # allow inline images for custom emoji @allow_inline_images Keyword.get(@markup, :allow_inline_images) @@ -155,7 +165,14 @@ defmodule Pleroma.HTML.Scrubber.Default do Meta.strip_comments() Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes) - Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"]) + + Meta.allow_tag_with_this_attribute_values("a", "class", [ + "hashtag", + "u-url", + "mention", + "u-url mention", + "mention u-url" + ]) Meta.allow_tag_with_this_attribute_values("a", "rel", [ "tag", @@ -164,6 +181,8 @@ defmodule Pleroma.HTML.Scrubber.Default do "noreferrer" ]) + Meta.allow_tag_with_these_attributes("a", ["name", "title"]) + Meta.allow_tag_with_these_attributes("abbr", ["title"]) Meta.allow_tag_with_these_attributes("b", []) @@ -177,11 +196,13 @@ defmodule Pleroma.HTML.Scrubber.Default do Meta.allow_tag_with_these_attributes("ol", []) Meta.allow_tag_with_these_attributes("p", []) Meta.allow_tag_with_these_attributes("pre", []) - Meta.allow_tag_with_these_attributes("span", ["class"]) Meta.allow_tag_with_these_attributes("strong", []) Meta.allow_tag_with_these_attributes("u", []) Meta.allow_tag_with_these_attributes("ul", []) + Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"]) + Meta.allow_tag_with_these_attributes("span", []) + @allow_inline_images Keyword.get(@markup, :allow_inline_images) if @allow_inline_images do |