html scrubbing policies: restrict img tags to http/https only for mediaproxy compatib...

author William Pitcock <nenolod@dereferenced.org>

Thu, 18 Oct 2018 14:29:31 +0000 (14:29 +0000)

committer William Pitcock <nenolod@dereferenced.org>

Thu, 18 Oct 2018 14:29:31 +0000 (14:29 +0000)
author William Pitcock <nenolod@dereferenced.org>
Thu, 18 Oct 2018 14:29:31 +0000 (14:29 +0000)
committer William Pitcock <nenolod@dereferenced.org>
Thu, 18 Oct 2018 14:29:31 +0000 (14:29 +0000)
diff --git a/lib/pleroma/html.ex b/lib/pleroma/html.ex

index 2d2155b8260ea1fc1103306a02dffe20ba5efec0..fdc5e7dab9930c4adf66cad34fbd951d17dad544 100644 (file)
--- a/lib/pleroma/html.ex
+++ b/lib/pleroma/html.ex
@@ -63,7 +63,8 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
    @allow_inline_images Keyword.get(@markup, :allow_inline_images)
  
    if @allow_inline_images do
-    Meta.allow_tag_with_uri_attributes("img", ["src"], @valid_schemes)
+    # restrict img tags to http/https only, because of MediaProxy.
+    Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"])
  
      Meta.allow_tag_with_these_attributes("img", [
        "width",
@@ -113,7 +114,8 @@ defmodule Pleroma.HTML.Scrubber.Default do
    @allow_inline_images Keyword.get(@markup, :allow_inline_images)
  
    if @allow_inline_images do
-    Meta.allow_tag_with_uri_attributes("img", ["src"], @valid_schemes)
+    # restrict img tags to http/https only, because of MediaProxy.
+    Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"])
  
      Meta.allow_tag_with_these_attributes("img", [
        "width",
author	William Pitcock <nenolod@dereferenced.org>
	Thu, 18 Oct 2018 14:29:31 +0000 (14:29 +0000)
committer	William Pitcock <nenolod@dereferenced.org>
	Thu, 18 Oct 2018 14:29:31 +0000 (14:29 +0000)