diff options
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | mix.exs | 2 | ||||
| -rw-r--r-- | test/web/mastodon_api/mastodon_api_controller_test.exs | 2 | ||||
| -rw-r--r-- | test/web/mastodon_api/status_view_test.exs | 2 | ||||
| -rw-r--r-- | test/web/twitter_api/views/activity_view_test.exs | 2 |
6 files changed, 6 insertions, 5 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index b273b83c0..f649e01df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [0.9.99999] - 2019-05-31 ### Security - Mastodon API: Fix lists leaking private posts +- HTML escaping: Lock down allowed class attributes to only those related to microformats ## [0.9.9999] - 2019-04-05 ### Security @@ -23,7 +23,7 @@ Client applications that are known to work well: * Tootle (iOS, No Streaming) * Whalebird (Windows + Mac + Linux) -This is the 0.9.9999 release. +This is the 0.9.99999 release. If you want to run your own server, feel free to contact us in our dev chat at #pleroma on freenode or via matrix at <https://matrix.heldscal.la/#/room/#freenode_#pleroma:matrix.org>. @@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do def project do [ app: :pleroma, - version: version("0.9.9999"), + version: version("0.9.99999"), elixir: "~> 1.7", elixirc_paths: elixirc_paths(Mix.env()), compilers: [:phoenix, :gettext] ++ Mix.compilers(), diff --git a/test/web/mastodon_api/mastodon_api_controller_test.exs b/test/web/mastodon_api/mastodon_api_controller_test.exs index f8da86004..9daa26410 100644 --- a/test/web/mastodon_api/mastodon_api_controller_test.exs +++ b/test/web/mastodon_api/mastodon_api_controller_test.exs @@ -1461,7 +1461,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do assert user = json_response(conn, 200) assert user["note"] == - "I drink <a class=\"hashtag\" data-tag=\"cofe\" href=\"http://localhost:4001/tag/cofe\">#cofe</a> with <span class=\"h-card\"><a data-user=\"#{ + "I drink <a class=\"hashtag\" data-tag=\"cofe\" href=\"http://localhost:4001/tag/cofe\" rel=\"tag\">#cofe</a> with <span class=\"h-card\"><a data-user=\"#{ user2.id }\" class=\"u-url mention\" href=\"#{user2.ap_id}\">@<span>#{user2.nickname}</span></a></span>" end diff --git a/test/web/mastodon_api/status_view_test.exs b/test/web/mastodon_api/status_view_test.exs index 9249424cd..a4d054486 100644 --- a/test/web/mastodon_api/status_view_test.exs +++ b/test/web/mastodon_api/status_view_test.exs @@ -94,7 +94,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do card: nil, reblog: nil, content: - "cool test :firefox: <a class=\"hashtag\" data-tag=\"yeah\" href=\"http://localhost:4001/tag/yeah\">#yeah</a>", + "cool test :firefox: <a class=\"hashtag\" data-tag=\"yeah\" href=\"http://localhost:4001/tag/yeah\" rel=\"tag\">#yeah</a>", created_at: created_at, reblogs_count: 0, replies_count: 0, diff --git a/test/web/twitter_api/views/activity_view_test.exs b/test/web/twitter_api/views/activity_view_test.exs index 4f854ecaa..47e2e1038 100644 --- a/test/web/twitter_api/views/activity_view_test.exs +++ b/test/web/twitter_api/views/activity_view_test.exs @@ -66,7 +66,7 @@ defmodule Pleroma.Web.TwitterAPI.ActivityViewTest do result = ActivityView.render("activity.json", activity: activity) assert result["statusnet_html"] == - "<a class=\"hashtag\" data-tag=\"bike\" href=\"http://localhost:4001/tag/bike\">#Bike</a> log - Commute Tuesday<br /><a href=\"https://pla.bike/posts/20181211/\">https://pla.bike/posts/20181211/</a><br /><a class=\"hashtag\" data-tag=\"cycling\" href=\"http://localhost:4001/tag/cycling\">#cycling</a> <a class=\"hashtag\" data-tag=\"chscycling\" href=\"http://localhost:4001/tag/chscycling\">#CHScycling</a> <a class=\"hashtag\" data-tag=\"commute\" href=\"http://localhost:4001/tag/commute\">#commute</a><br />MVIMG_20181211_054020.jpg" + "<a class=\"hashtag\" data-tag=\"bike\" href=\"http://localhost:4001/tag/bike\" rel=\"tag\">#Bike</a> log - Commute Tuesday<br /><a href=\"https://pla.bike/posts/20181211/\">https://pla.bike/posts/20181211/</a><br /><a class=\"hashtag\" data-tag=\"cycling\" href=\"http://localhost:4001/tag/cycling\" rel=\"tag\">#cycling</a> <a class=\"hashtag\" data-tag=\"chscycling\" href=\"http://localhost:4001/tag/chscycling\" rel=\"tag\">#CHScycling</a> <a class=\"hashtag\" data-tag=\"commute\" href=\"http://localhost:4001/tag/commute\" rel=\"tag\">#commute</a><br />MVIMG_20181211_054020.jpg" assert result["text"] == "#Bike log - Commute Tuesday\nhttps://pla.bike/posts/20181211/\n#cycling #CHScycling #commute\nMVIMG_20181211_054020.jpg" |