projects / akkoma / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 41fdcb7)
ChatMessagesHandling: Strip HTML of incoming messages.
authorlain <lain@soykaf.club>
Thu, 16 Apr 2020 15:50:24 +0000 (17:50 +0200)
committerlain <lain@soykaf.club>
Thu, 16 Apr 2020 15:50:24 +0000 (17:50 +0200)
lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex patch | blob | history
test/web/activity_pub/transmogrifier/chat_message_test.exs patch | blob | history

diff --git a/lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex b/lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex
index 815b866c93663da6e030c5d179e450f449c7c19c..11bd10456150febe5925ee402bc4d8715656f9f3 100644 (file)
--- a/lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex
@@ -19,6 +19,9 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier.ChatMessageHandling do
          {_, {:ok, object_cast_data_sym}} <-
            {:casting_object_data, object_data |> ChatMessageValidator.cast_and_apply()},
          object_cast_data = ObjectValidator.stringify_keys(object_cast_data_sym),
+         # For now, just strip HTML
+         stripped_content = Pleroma.HTML.strip_tags(object_cast_data["content"]),
+         object_cast_data = object_cast_data |> Map.put("content", stripped_content),
          {_, {:ok, validated_object, _meta}} <-
            {:validate_object, ObjectValidator.validate(object_cast_data, %{})},
          {_, {:ok, _created_object}} <- {:persist_object, Object.create(validated_object)},
diff --git a/test/web/activity_pub/transmogrifier/chat_message_test.exs b/test/web/activity_pub/transmogrifier/chat_message_test.exs
index 5b238f9c4d4274475308c93c38d5f46b0cfbe9c7..7e7f9ebec697d50f00feba90d4b70401db9f0354 100644 (file)
--- a/test/web/activity_pub/transmogrifier/chat_message_test.exs
+++ b/test/web/activity_pub/transmogrifier/chat_message_test.exs
@@ -56,7 +56,9 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier.ChatMessageTest do
       assert activity.recipients == [recipient.ap_id, author.ap_id]
 
       %Object{} = object = Object.get_by_ap_id(activity.data["object"])
+
       assert object
+      assert object.data["content"] == "You expected a cute girl? Too bad. alert(&#39;XSS&#39;)"
     end
   end
 end
Fork of https://akkoma.dev/AkkomaGang/akkoma.git