From 0ebf3b3afdfe9f91e24077a81d9534871a076c99 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Tue, 4 May 2021 19:06:30 -0500
Subject: Add rich type back but sanitize HTML better

---
 lib/pleroma/web/rich_media/parser/card.ex | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/lib/pleroma/web/rich_media/parser/card.ex b/lib/pleroma/web/rich_media/parser/card.ex
index 678aac664..71b0a5b17 100644
--- a/lib/pleroma/web/rich_media/parser/card.ex
+++ b/lib/pleroma/web/rich_media/parser/card.ex
@@ -6,7 +6,7 @@ defmodule Pleroma.Web.RichMedia.Parser.Card do
   alias Pleroma.Web.RichMedia.Parser.Card
   alias Pleroma.Web.RichMedia.Parser.Embed
 
-  @types ["link", "photo", "video"]
+  @types ["link", "photo", "video", "rich"]
 
   # https://docs.joinmastodon.org/entities/card/
   defstruct url: nil,
@@ -28,12 +28,6 @@ defmodule Pleroma.Web.RichMedia.Parser.Card do
       when type in @types and is_binary(url) do
     uri = URI.parse(url)
 
-    html =
-      case FastSanitize.Sanitizer.scrub(oembed["html"], Pleroma.HTML.Scrubber.OEmbed) do
-        {:ok, html} -> html
-        _ -> ""
-      end
-
     %Card{
       url: url,
       title: title,
@@ -43,7 +37,7 @@ defmodule Pleroma.Web.RichMedia.Parser.Card do
       author_url: oembed["author_url"],
       provider_name: oembed["provider_name"] || uri.host,
       provider_url: oembed["provider_url"] || "#{uri.scheme}://#{uri.host}",
-      html: html,
+      html: sanitize_html(oembed["html"]),
       width: oembed["width"],
       height: oembed["height"],
       image: oembed["thumbnail_url"] |> proxy(),
@@ -95,6 +89,15 @@ defmodule Pleroma.Web.RichMedia.Parser.Card do
     end
   end
 
+  defp sanitize_html(html) do
+    with {:ok, html} <- FastSanitize.Sanitizer.scrub(html, Pleroma.HTML.Scrubber.OEmbed),
+         {:ok, [{"iframe", _, _}]} <- Floki.parse_fragment(html) do
+      html
+    else
+      _ -> ""
+    end
+  end
+
   def to_map(%Card{} = card) do
     card
     |> Map.from_struct()
@@ -108,6 +111,11 @@ defmodule Pleroma.Web.RichMedia.Parser.Card do
   defp proxy(url) when is_binary(url), do: Pleroma.Web.MediaProxy.url(url)
   defp proxy(_), do: nil
 
+  def validate(%Card{type: type, html: html} = card)
+      when type in ["video", "rich"] and (is_binary(html) == false or html == "") do
+    {:error, {:invalid_metadata, card}}
+  end
+
   def validate(%Card{type: type, title: title} = card)
       when type in @types and is_binary(title) and title != "" do
     {:ok, card}
-- 
cgit v1.2.3