Merge branch '1149-oban-job-queue' into 'develop'
[akkoma] / lib / pleroma / html.ex
1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
4
5 defmodule Pleroma.HTML do
6 alias HtmlSanitizeEx.Scrubber
7
8 defp get_scrubbers(scrubber) when is_atom(scrubber), do: [scrubber]
9 defp get_scrubbers(scrubbers) when is_list(scrubbers), do: scrubbers
10 defp get_scrubbers(_), do: [Pleroma.HTML.Scrubber.Default]
11
12 def get_scrubbers do
13 Pleroma.Config.get([:markup, :scrub_policy])
14 |> get_scrubbers
15 end
16
17 def filter_tags(html, nil) do
18 filter_tags(html, get_scrubbers())
19 end
20
21 def filter_tags(html, scrubbers) when is_list(scrubbers) do
22 Enum.reduce(scrubbers, html, fn scrubber, html ->
23 filter_tags(html, scrubber)
24 end)
25 end
26
27 def filter_tags(html, scrubber), do: Scrubber.scrub(html, scrubber)
28 def filter_tags(html), do: filter_tags(html, nil)
29 def strip_tags(html), do: Scrubber.scrub(html, Scrubber.StripTags)
30
31 def get_cached_scrubbed_html_for_activity(
32 content,
33 scrubbers,
34 activity,
35 key \\ "",
36 callback \\ fn x -> x end
37 ) do
38 key = "#{key}#{generate_scrubber_signature(scrubbers)}|#{activity.id}"
39
40 Cachex.fetch!(:scrubber_cache, key, fn _key ->
41 object = Pleroma.Object.normalize(activity)
42 ensure_scrubbed_html(content, scrubbers, object.data["fake"] || false, callback)
43 end)
44 end
45
46 def get_cached_stripped_html_for_activity(content, activity, key) do
47 get_cached_scrubbed_html_for_activity(
48 content,
49 HtmlSanitizeEx.Scrubber.StripTags,
50 activity,
51 key,
52 &HtmlEntities.decode/1
53 )
54 end
55
56 def ensure_scrubbed_html(
57 content,
58 scrubbers,
59 fake,
60 callback
61 ) do
62 content =
63 content
64 |> filter_tags(scrubbers)
65 |> callback.()
66
67 if fake do
68 {:ignore, content}
69 else
70 {:commit, content}
71 end
72 end
73
74 defp generate_scrubber_signature(scrubber) when is_atom(scrubber) do
75 generate_scrubber_signature([scrubber])
76 end
77
78 defp generate_scrubber_signature(scrubbers) do
79 Enum.reduce(scrubbers, "", fn scrubber, signature ->
80 "#{signature}#{to_string(scrubber)}"
81 end)
82 end
83
84 def extract_first_external_url(_, nil), do: {:error, "No content"}
85
86 def extract_first_external_url(object, content) do
87 key = "URL|#{object.id}"
88
89 Cachex.fetch!(:scrubber_cache, key, fn _key ->
90 result =
91 content
92 |> Floki.filter_out("a.mention,a.hashtag,a[rel~=\"tag\"]")
93 |> Floki.attribute("a", "href")
94 |> Enum.at(0)
95
96 {:commit, {:ok, result}}
97 end)
98 end
99 end
100
101 defmodule Pleroma.HTML.Scrubber.TwitterText do
102 @moduledoc """
103 An HTML scrubbing policy which limits to twitter-style text. Only
104 paragraphs, breaks and links are allowed through the filter.
105 """
106
107 @valid_schemes Pleroma.Config.get([:uri_schemes, :valid_schemes], [])
108
109 require HtmlSanitizeEx.Scrubber.Meta
110 alias HtmlSanitizeEx.Scrubber.Meta
111
112 Meta.remove_cdata_sections_before_scrub()
113 Meta.strip_comments()
114
115 # links
116 Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
117
118 Meta.allow_tag_with_this_attribute_values("a", "class", [
119 "hashtag",
120 "u-url",
121 "mention",
122 "u-url mention",
123 "mention u-url"
124 ])
125
126 Meta.allow_tag_with_this_attribute_values("a", "rel", [
127 "tag",
128 "nofollow",
129 "noopener",
130 "noreferrer"
131 ])
132
133 Meta.allow_tag_with_these_attributes("a", ["name", "title"])
134
135 # paragraphs and linebreaks
136 Meta.allow_tag_with_these_attributes("br", [])
137 Meta.allow_tag_with_these_attributes("p", [])
138
139 # microformats
140 Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
141 Meta.allow_tag_with_these_attributes("span", [])
142
143 # allow inline images for custom emoji
144 if Pleroma.Config.get([:markup, :allow_inline_images]) do
145 # restrict img tags to http/https only, because of MediaProxy.
146 Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"])
147
148 Meta.allow_tag_with_these_attributes("img", [
149 "width",
150 "height",
151 "class",
152 "title",
153 "alt"
154 ])
155 end
156
157 Meta.strip_everything_not_covered()
158 end
159
160 defmodule Pleroma.HTML.Scrubber.Default do
161 @doc "The default HTML scrubbing policy: no "
162
163 require HtmlSanitizeEx.Scrubber.Meta
164 alias HtmlSanitizeEx.Scrubber.Meta
165 # credo:disable-for-previous-line
166 # No idea how to fix this one…
167
168 @valid_schemes Pleroma.Config.get([:uri_schemes, :valid_schemes], [])
169
170 Meta.remove_cdata_sections_before_scrub()
171 Meta.strip_comments()
172
173 Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
174
175 Meta.allow_tag_with_this_attribute_values("a", "class", [
176 "hashtag",
177 "u-url",
178 "mention",
179 "u-url mention",
180 "mention u-url"
181 ])
182
183 Meta.allow_tag_with_this_attribute_values("a", "rel", [
184 "tag",
185 "nofollow",
186 "noopener",
187 "noreferrer"
188 ])
189
190 Meta.allow_tag_with_these_attributes("a", ["name", "title"])
191
192 Meta.allow_tag_with_these_attributes("abbr", ["title"])
193
194 Meta.allow_tag_with_these_attributes("b", [])
195 Meta.allow_tag_with_these_attributes("blockquote", [])
196 Meta.allow_tag_with_these_attributes("br", [])
197 Meta.allow_tag_with_these_attributes("code", [])
198 Meta.allow_tag_with_these_attributes("del", [])
199 Meta.allow_tag_with_these_attributes("em", [])
200 Meta.allow_tag_with_these_attributes("i", [])
201 Meta.allow_tag_with_these_attributes("li", [])
202 Meta.allow_tag_with_these_attributes("ol", [])
203 Meta.allow_tag_with_these_attributes("p", [])
204 Meta.allow_tag_with_these_attributes("pre", [])
205 Meta.allow_tag_with_these_attributes("strong", [])
206 Meta.allow_tag_with_these_attributes("sub", [])
207 Meta.allow_tag_with_these_attributes("sup", [])
208 Meta.allow_tag_with_these_attributes("u", [])
209 Meta.allow_tag_with_these_attributes("ul", [])
210
211 Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
212 Meta.allow_tag_with_these_attributes("span", [])
213
214 @allow_inline_images Pleroma.Config.get([:markup, :allow_inline_images])
215
216 if @allow_inline_images do
217 # restrict img tags to http/https only, because of MediaProxy.
218 Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"])
219
220 Meta.allow_tag_with_these_attributes("img", [
221 "width",
222 "height",
223 "class",
224 "title",
225 "alt"
226 ])
227 end
228
229 if Pleroma.Config.get([:markup, :allow_tables]) do
230 Meta.allow_tag_with_these_attributes("table", [])
231 Meta.allow_tag_with_these_attributes("tbody", [])
232 Meta.allow_tag_with_these_attributes("td", [])
233 Meta.allow_tag_with_these_attributes("th", [])
234 Meta.allow_tag_with_these_attributes("thead", [])
235 Meta.allow_tag_with_these_attributes("tr", [])
236 end
237
238 if Pleroma.Config.get([:markup, :allow_headings]) do
239 Meta.allow_tag_with_these_attributes("h1", [])
240 Meta.allow_tag_with_these_attributes("h2", [])
241 Meta.allow_tag_with_these_attributes("h3", [])
242 Meta.allow_tag_with_these_attributes("h4", [])
243 Meta.allow_tag_with_these_attributes("h5", [])
244 end
245
246 if Pleroma.Config.get([:markup, :allow_fonts]) do
247 Meta.allow_tag_with_these_attributes("font", ["face"])
248 end
249
250 Meta.strip_everything_not_covered()
251 end
252
253 defmodule Pleroma.HTML.Transform.MediaProxy do
254 @moduledoc "Transforms inline image URIs to use MediaProxy."
255
256 alias Pleroma.Web.MediaProxy
257
258 def before_scrub(html), do: html
259
260 def scrub_attribute("img", {"src", "http" <> target}) do
261 media_url =
262 ("http" <> target)
263 |> MediaProxy.url()
264
265 {"src", media_url}
266 end
267
268 def scrub_attribute(_tag, attribute), do: attribute
269
270 def scrub({"img", attributes, children}) do
271 attributes =
272 attributes
273 |> Enum.map(fn attr -> scrub_attribute("img", attr) end)
274 |> Enum.reject(&is_nil(&1))
275
276 {"img", attributes, children}
277 end
278
279 def scrub({:comment, _children}), do: ""
280
281 def scrub({tag, attributes, children}), do: {tag, attributes, children}
282 def scrub({_tag, children}), do: children
283 def scrub(text), do: text
284 end
285
286 defmodule Pleroma.HTML.Scrubber.LinksOnly do
287 @moduledoc """
288 An HTML scrubbing policy which limits to links only.
289 """
290
291 @valid_schemes Pleroma.Config.get([:uri_schemes, :valid_schemes], [])
292
293 require HtmlSanitizeEx.Scrubber.Meta
294 alias HtmlSanitizeEx.Scrubber.Meta
295
296 Meta.remove_cdata_sections_before_scrub()
297 Meta.strip_comments()
298
299 # links
300 Meta.allow_tag_with_uri_attributes("a", ["href"], @valid_schemes)
301
302 Meta.allow_tag_with_this_attribute_values("a", "rel", [
303 "tag",
304 "nofollow",
305 "noopener",
306 "noreferrer",
307 "me"
308 ])
309
310 Meta.allow_tag_with_these_attributes("a", ["name", "title"])
311 Meta.strip_everything_not_covered()
312 end