Escape HTML instead of discarding it.

diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex
index 83a656011a83c0b9497f85203a5aaa5f144aea08..21b6226b1d82cf2d81da73f40f7cf490577c06a4 100644 (file)
--- a/lib/pleroma/web/common_api/utils.ex
+++ b/lib/pleroma/web/common_api/utils.ex
@@ -58,7 +58,8 @@ defmodule Pleroma.Web.CommonAPI.Utils do
   end
 
   def format_input(text, mentions, tags) do
-    HtmlSanitizeEx.strip_tags(text)
+    Phoenix.HTML.html_escape(text)
+    |> elem(1)
     |> Formatter.linkify
     |> String.replace("\n", "<br>\n")
     |> add_user_links(mentions)

diff --git a/test/web/twitter_api/twitter_api_test.exs b/test/web/twitter_api/twitter_api_test.exs
index 994cc8f90cf7eb5cd5ae1dbf9fabbab49160666b..8698686ad88b472ad00be7f11a34e39e2526198d 100644 (file)
--- a/test/web/twitter_api/twitter_api_test.exs
+++ b/test/web/twitter_api/twitter_api_test.exs
@@ -34,7 +34,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
 
     { :ok, activity = %Activity{} } = TwitterAPI.create_status(user, input)
 
-    assert get_in(activity.data, ["object", "content"]) == "Hello again, <a href='shp'>@shp</a>.<br>\nThis is on another line. #2hu #epic #phantasmagoric<br>\n<a href=\"http://example.org/image.jpg\" class='attachment'>image.jpg</a>"
+    assert get_in(activity.data, ["object", "content"]) == "Hello again, <a href='shp'>@shp</a>.&lt;script&gt;&lt;/script&gt;<br>\nThis is on another line. #2hu #epic #phantasmagoric<br>\n<a href=\"http://example.org/image.jpg\" class='attachment'>image.jpg</a>"
     assert get_in(activity.data, ["object", "type"]) == "Note"
     assert get_in(activity.data, ["object", "actor"]) == user.ap_id
     assert get_in(activity.data, ["actor"]) == user.ap_id