From fbe9aa3506807b5c0f30ea8e877193a0b5ae91a6 Mon Sep 17 00:00:00 2001
From: lain <lain@soykaf.club>
Date: Fri, 23 Mar 2018 19:52:08 +0100
Subject: [PATCH] Strip html from emoji stuff.

---
 lib/pleroma/formatter.ex                          | 2 ++
 lib/pleroma/web/mastodon_api/views/status_view.ex | 6 +++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/pleroma/formatter.ex b/lib/pleroma/formatter.ex
index fdf91f56e..fd8465c1c 100644
--- a/lib/pleroma/formatter.ex
+++ b/lib/pleroma/formatter.ex
@@ -132,6 +132,8 @@ defmodule Pleroma.Formatter do
     end
 
     Enum.reduce(all_emoji, text, fn ({emoji, file}, text) ->
+      emoji = HtmlSanitizeEx.strip_tags(emoji)
+      file = HtmlSanitizeEx.strip_tags(file)
       String.replace(text, ":#{emoji}:", "<img height='32px' width='32px' alt='#{emoji}' title='#{emoji}' src='#{MediaProxy.url(file)}' />")
     end)
   end
diff --git a/lib/pleroma/web/mastodon_api/views/status_view.ex b/lib/pleroma/web/mastodon_api/views/status_view.ex
index 55675ae1c..170b6ac6c 100644
--- a/lib/pleroma/web/mastodon_api/views/status_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/status_view.ex
@@ -77,7 +77,11 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
     reply_to_user = reply_to && User.get_cached_by_ap_id(reply_to.data["actor"])
 
     emojis = (activity.data["object"]["emoji"] || [])
-    |> Enum.map(fn {name, url} -> %{ shortcode: name, url: url, static_url: url } end)
+    |> Enum.map(fn {name, url} ->
+      name = HtmlSanitizeEx.strip_tags(name)
+      url = HtmlSanitizeEx.strip_tags(url)
+      %{ shortcode: name, url: url, static_url: url }
+    end)
 
     %{
       id: to_string(activity.id),
-- 
2.49.0