Fix exception when trying to serialize posts with <a> tags in them without hrefs (#1334)

* fix exception when trying to serialize posts with <a> tags in them without hrefs

* Add tests

Co-authored-by: Thibaut Girka <thib@sitedethib.com>
signup-info-prompt
Ben Lubar 2020-05-28 05:47:40 -05:00 committed by GitHub
parent c8cee24cb3
commit ead09f5ddc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 30 additions and 11 deletions

View File

@ -55,7 +55,7 @@ class Sanitize
end end
LINK_REL_TRANSFORMER = lambda do |env| LINK_REL_TRANSFORMER = lambda do |env|
return unless env[:node_name] == 'a' return unless env[:node_name] == 'a' and env[:node]['href']
node = env[:node] node = env[:node]

View File

@ -32,6 +32,7 @@ class TagManager
def local_url?(url) def local_url?(url)
uri = Addressable::URI.parse(url).normalize uri = Addressable::URI.parse(url).normalize
return false unless uri.host
domain = uri.host + (uri.port ? ":#{uri.port}" : '') domain = uri.host + (uri.port ? ":#{uri.port}" : '')
TagManager.instance.web_domain?(domain) TagManager.instance.web_domain?(domain)

View File

@ -4,15 +4,7 @@ require 'rails_helper'
require Rails.root.join('app', 'lib', 'sanitize_config.rb') require Rails.root.join('app', 'lib', 'sanitize_config.rb')
describe Sanitize::Config do describe Sanitize::Config do
describe '::MASTODON_STRICT' do shared_examples 'common HTML sanitization' do
subject { Sanitize::Config::MASTODON_STRICT }
around do |example|
original_web_domain = Rails.configuration.x.web_domain
example.run
Rails.configuration.x.web_domain = original_web_domain
end
it 'keeps h1' do it 'keeps h1' do
expect(Sanitize.fragment('<h1>Foo</h1>', subject)).to eq '<h1>Foo</h1>' expect(Sanitize.fragment('<h1>Foo</h1>', subject)).to eq '<h1>Foo</h1>'
end end
@ -37,13 +29,39 @@ describe Sanitize::Config do
expect(Sanitize.fragment('<a href="http://example.com">Test</a>', subject)).to eq '<a href="http://example.com" rel="nofollow noopener noreferrer" target="_blank">Test</a>' expect(Sanitize.fragment('<a href="http://example.com">Test</a>', subject)).to eq '<a href="http://example.com" rel="nofollow noopener noreferrer" target="_blank">Test</a>'
end end
it 'removes a with unparsable href' do
expect(Sanitize.fragment('<a href=" https://google.fr">Test</a>', subject)).to eq 'Test'
end
it 'keeps a with supported scheme and no host' do
expect(Sanitize.fragment('<a href="dweb:/a/foo">Test</a>', subject)).to eq '<a href="dweb:/a/foo" rel="nofollow noopener noreferrer" target="_blank">Test</a>'
end
end
describe '::MASTODON_STRICT' do
subject { Sanitize::Config::MASTODON_STRICT }
it_behaves_like 'common HTML sanitization'
it 'keeps a with href and rel tag' do it 'keeps a with href and rel tag' do
expect(Sanitize.fragment('<a href="http://example.com" rel="tag">Test</a>', subject)).to eq '<a href="http://example.com" rel="tag nofollow noopener noreferrer" target="_blank">Test</a>' expect(Sanitize.fragment('<a href="http://example.com" rel="tag">Test</a>', subject)).to eq '<a href="http://example.com" rel="tag nofollow noopener noreferrer" target="_blank">Test</a>'
end end
end
describe '::MASTODON_STRICT with outgoing toots' do
subject { Sanitize::Config::MASTODON_STRICT.merge(outgoing: true) }
around do |example|
original_web_domain = Rails.configuration.x.web_domain
example.run
Rails.configuration.x.web_domain = original_web_domain
end
it_behaves_like 'common HTML sanitization'
it 'keeps a with href and rel tag, not adding to rel if url is local' do it 'keeps a with href and rel tag, not adding to rel if url is local' do
Rails.configuration.x.web_domain = 'domain.test' Rails.configuration.x.web_domain = 'domain.test'
expect(Sanitize.fragment('<a href="http://domain.test/tags/foo" rel="tag">Test</a>', subject.merge(outgoing: true))).to eq '<a href="http://domain.test/tags/foo" rel="tag" target="_blank">Test</a>' expect(Sanitize.fragment('<a href="http://domain.test/tags/foo" rel="tag">Test</a>', subject)).to eq '<a href="http://domain.test/tags/foo" rel="tag" target="_blank">Test</a>'
end end
end end
end end