SafeText: Let through basic html.

author lain <lain@soykaf.club>

Sat, 30 May 2020 10:17:18 +0000 (12:17 +0200)

committer lain <lain@soykaf.club>

Sat, 30 May 2020 10:17:18 +0000 (12:17 +0200)
author lain <lain@soykaf.club>
Sat, 30 May 2020 10:17:18 +0000 (12:17 +0200)
committer lain <lain@soykaf.club>
Sat, 30 May 2020 10:17:18 +0000 (12:17 +0200)
diff --git a/lib/pleroma/web/activity_pub/object_validators/types/safe_text.ex b/lib/pleroma/web/activity_pub/object_validators/types/safe_text.ex

index 822e8d2c119ae357ac125e1f7f025c185cf18dd1..95c948123621aa4c9a61b119353e42b6ad7aca16 100644 (file)
--- a/lib/pleroma/web/activity_pub/object_validators/types/safe_text.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/types/safe_text.ex
@@ -10,7 +10,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.Types.SafeText do
    def type, do: :string
  
    def cast(str) when is_binary(str) do
-    {:ok, HTML.strip_tags(str)}
+    {:ok, HTML.filter_tags(str)}
    end
  
    def cast(_), do: :error
diff --git a/test/web/activity_pub/object_validator_test.exs b/test/web/activity_pub/object_validator_test.exs

index 929fdbc9bc9d09540dadc8404900cceef105671d..31224abe0b99f45a2eaea72780b77a49f8bad957 100644 (file)
--- a/test/web/activity_pub/object_validator_test.exs
+++ b/test/web/activity_pub/object_validator_test.exs
@@ -113,6 +113,20 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidatorTest do
        %{user: user, recipient: recipient, valid_chat_message: valid_chat_message}
      end
  
+    test "let's through some basic html", %{user: user, recipient: recipient} do
+      {:ok, valid_chat_message, _} =
+        Builder.chat_message(
+          user,
+          recipient.ap_id,
+          "hey <a href='https://example.org'>example</a> <script>alert('uguu')</script>"
+        )
+
+      assert {:ok, object, _meta} = ObjectValidator.validate(valid_chat_message, [])
+
+      assert object["content"] ==
+               "hey <a href=\"https://example.org\">example</a> alert(&#39;uguu&#39;)"
+    end
+
      test "validates for a basic object we build", %{valid_chat_message: valid_chat_message} do
        assert {:ok, object, _meta} = ObjectValidator.validate(valid_chat_message, [])
  
diff --git a/test/web/activity_pub/object_validators/types/safe_text_test.exs b/test/web/activity_pub/object_validators/types/safe_text_test.exs

index 59ed0a1febbc675744d6f3045b12f78266f44304..d4a574554b03c3389b4f57b5980064174f6a4d11 100644 (file)
--- a/test/web/activity_pub/object_validators/types/safe_text_test.exs
+++ b/test/web/activity_pub/object_validators/types/safe_text_test.exs
@@ -17,6 +17,13 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.Types.SafeTextTest do
      assert {:ok, "hey look xss alert(&#39;foo&#39;)"} == SafeText.cast(text)
    end
  
+  test "it keeps basic html tags" do
+    text = "hey <a href='http://gensokyo.2hu'>look</a> xss <script>alert('foo')</script>"
+
+    assert {:ok, "hey <a href=\"http://gensokyo.2hu\">look</a> xss alert(&#39;foo&#39;)"} ==
+             SafeText.cast(text)
+  end
+
    test "errors for non-text" do
      assert :error == SafeText.cast(1)
    end
author	lain <lain@soykaf.club>
	Sat, 30 May 2020 10:17:18 +0000 (12:17 +0200)
committer	lain <lain@soykaf.club>
	Sat, 30 May 2020 10:17:18 +0000 (12:17 +0200)
lib/pleroma/web/activity_pub/object_validators/types/safe_text.ex		patch \| blob \| history
test/web/activity_pub/object_validator_test.exs		patch \| blob \| history
test/web/activity_pub/object_validators/types/safe_text_test.exs		patch \| blob \| history