X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fpleroma%2Fhtml.ex;h=44b6776f97dd8702ac6ac32c79267f950ea46967;hb=3f9da55adc9798bd66749dcdbd02fded8494fda3;hp=ab62dd1da27062356648a1bd99bdb7962ef8dd9d;hpb=22c366a85f2a41c1344b863446491c866c47a8a4;p=akkoma diff --git a/lib/pleroma/html.ex b/lib/pleroma/html.ex index ab62dd1da..44b6776f9 100644 --- a/lib/pleroma/html.ex +++ b/lib/pleroma/html.ex @@ -1,31 +1,29 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2018 Pleroma Authors +# SPDX-License-Identifier: AGPL-3.0-only + defmodule Pleroma.HTML do alias HtmlSanitizeEx.Scrubber - @markup Application.get_env(:pleroma, :markup) - defp get_scrubbers(scrubber) when is_atom(scrubber), do: [scrubber] defp get_scrubbers(scrubbers) when is_list(scrubbers), do: scrubbers defp get_scrubbers(_), do: [Pleroma.HTML.Scrubber.Default] def get_scrubbers() do - Keyword.get(@markup, :scrub_policy) + Pleroma.Config.get([:markup, :scrub_policy]) |> get_scrubbers end - def filter_tags(html, scrubber) do - html |> Scrubber.scrub(scrubber) - end - - def filter_tags(html) do + def filter_tags(html, nil) do get_scrubbers() |> Enum.reduce(html, fn scrubber, html -> filter_tags(html, scrubber) end) end - def strip_tags(html) do - html |> Scrubber.scrub(Scrubber.StripTags) - end + def filter_tags(html, scrubber), do: Scrubber.scrub(html, scrubber) + def filter_tags(html), do: filter_tags(html, nil) + def strip_tags(html), do: Scrubber.scrub(html, Scrubber.StripTags) end defmodule Pleroma.HTML.Scrubber.TwitterText do @@ -34,16 +32,22 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do paragraphs, breaks and links are allowed through the filter. """ + @markup Application.get_env(:pleroma, :markup) + @uri_schemes Application.get_env(:pleroma, :uri_schemes, []) + @valid_schemes Keyword.get(@uri_schemes, :valid_schemes, []) + require HtmlSanitizeEx.Scrubber.Meta alias HtmlSanitizeEx.Scrubber.Meta - @valid_schemes ["http", "https"] + def version do + 0 + end Meta.remove_cdata_sections_before_scrub() Meta.strip_comments() # links - Meta.allow_tag_with_uri_attributes("a", ["href"], @valid_schemes) + Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes) Meta.allow_tag_with_these_attributes("a", ["name", "title"]) # paragraphs and linebreaks @@ -54,11 +58,11 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do Meta.allow_tag_with_these_attributes("span", []) # allow inline images for custom emoji - @markup Application.get_env(:pleroma, :markup) @allow_inline_images Keyword.get(@markup, :allow_inline_images) if @allow_inline_images do - Meta.allow_tag_with_uri_attributes("img", ["src"], @valid_schemes) + # restrict img tags to http/https only, because of MediaProxy. + Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"]) Meta.allow_tag_with_these_attributes("img", [ "width", @@ -67,6 +71,8 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do "alt" ]) end + + Meta.strip_everything_not_covered() end defmodule Pleroma.HTML.Scrubber.Default do @@ -75,14 +81,22 @@ defmodule Pleroma.HTML.Scrubber.Default do require HtmlSanitizeEx.Scrubber.Meta alias HtmlSanitizeEx.Scrubber.Meta - @valid_schemes ["http", "https"] + def version do + 0 + end + + @markup Application.get_env(:pleroma, :markup) + @uri_schemes Application.get_env(:pleroma, :uri_schemes, []) + @valid_schemes Keyword.get(@uri_schemes, :valid_schemes, []) Meta.remove_cdata_sections_before_scrub() Meta.strip_comments() - Meta.allow_tag_with_uri_attributes("a", ["href"], @valid_schemes) + Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes) Meta.allow_tag_with_these_attributes("a", ["name", "title"]) + Meta.allow_tag_with_these_attributes("abbr", ["title"]) + Meta.allow_tag_with_these_attributes("b", []) Meta.allow_tag_with_these_attributes("blockquote", []) Meta.allow_tag_with_these_attributes("br", []) @@ -99,11 +113,11 @@ defmodule Pleroma.HTML.Scrubber.Default do Meta.allow_tag_with_these_attributes("u", []) Meta.allow_tag_with_these_attributes("ul", []) - @markup Application.get_env(:pleroma, :markup) @allow_inline_images Keyword.get(@markup, :allow_inline_images) if @allow_inline_images do - Meta.allow_tag_with_uri_attributes("img", ["src"], @valid_schemes) + # restrict img tags to http/https only, because of MediaProxy. + Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"]) Meta.allow_tag_with_these_attributes("img", [ "width", @@ -148,6 +162,10 @@ defmodule Pleroma.HTML.Transform.MediaProxy do alias Pleroma.Web.MediaProxy + def version do + 0 + end + def before_scrub(html), do: html def scrub_attribute("img", {"src", "http" <> target}) do @@ -158,7 +176,7 @@ defmodule Pleroma.HTML.Transform.MediaProxy do {"src", media_url} end - def scrub_attribute(tag, attribute), do: attribute + def scrub_attribute(_tag, attribute), do: attribute def scrub({"img", attributes, children}) do attributes = @@ -169,7 +187,9 @@ defmodule Pleroma.HTML.Transform.MediaProxy do {"img", attributes, children} end + def scrub({:comment, _children}), do: "" + def scrub({tag, attributes, children}), do: {tag, attributes, children} - def scrub({tag, children}), do: children + def scrub({_tag, children}), do: children def scrub(text), do: text end