Strip html from emoji stuff.

diff --git a/lib/pleroma/formatter.ex b/lib/pleroma/formatter.ex
index fdf91f56e4877cc3c2c5e8aaf02db7e279170fb9..fd8465c1cd34b259e55f9566c236c425d1d3a7d5 100644 (file)
--- a/lib/pleroma/formatter.ex
+++ b/lib/pleroma/formatter.ex
@@ -132,6 +132,8 @@ defmodule Pleroma.Formatter do
     end
 
     Enum.reduce(all_emoji, text, fn ({emoji, file}, text) ->
+      emoji = HtmlSanitizeEx.strip_tags(emoji)
+      file = HtmlSanitizeEx.strip_tags(file)
       String.replace(text, ":#{emoji}:", "<img height='32px' width='32px' alt='#{emoji}' title='#{emoji}' src='#{MediaProxy.url(file)}' />")
     end)
   end

diff --git a/lib/pleroma/web/mastodon_api/views/status_view.ex b/lib/pleroma/web/mastodon_api/views/status_view.ex
index 55675ae1c38b624f71db2e4df5ee76b020a0a0b4..170b6ac6c19839ae8d23ac3afdb01fe0145a29d9 100644 (file)
--- a/lib/pleroma/web/mastodon_api/views/status_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/status_view.ex
@@ -77,7 +77,11 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
     reply_to_user = reply_to && User.get_cached_by_ap_id(reply_to.data["actor"])
 
     emojis = (activity.data["object"]["emoji"] || [])
-    |> Enum.map(fn {name, url} -> %{ shortcode: name, url: url, static_url: url } end)
+    |> Enum.map(fn {name, url} ->
+      name = HtmlSanitizeEx.strip_tags(name)
+      url = HtmlSanitizeEx.strip_tags(url)
+      %{ shortcode: name, url: url, static_url: url }
+    end)
 
     %{
       id: to_string(activity.id),