Whitelist allowed classes for federated statuses (#3810)
* Whitelist allowed classes for federated statuses Allowed classes are currently: - Any microformats class (h/p/u/dt/e-*) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved #3790 * Fix code stylepull/3729/head^2
parent
8fd931dc12
commit
94d0e012de
|
@ -4,6 +4,21 @@ class Sanitize
|
||||||
module Config
|
module Config
|
||||||
HTTP_PROTOCOLS ||= ['http', 'https', :relative].freeze
|
HTTP_PROTOCOLS ||= ['http', 'https', :relative].freeze
|
||||||
|
|
||||||
|
CLASS_WHITELIST_TRANSFORMER = lambda do |env|
|
||||||
|
node = env[:node]
|
||||||
|
class_list = node['class']&.split(' ')
|
||||||
|
|
||||||
|
return unless class_list
|
||||||
|
|
||||||
|
class_list.keep_if do |e|
|
||||||
|
return true if e =~ /^(h|p|u|dt|e)-/ # microformats classes
|
||||||
|
return true if e =~ /^(mention|hashtag)$/ # semantic classes
|
||||||
|
return true if e =~ /^(ellipsis|invisible)$/ # link formatting classes
|
||||||
|
end
|
||||||
|
|
||||||
|
node['class'] = class_list.join(' ')
|
||||||
|
end
|
||||||
|
|
||||||
MASTODON_STRICT ||= freeze_config(
|
MASTODON_STRICT ||= freeze_config(
|
||||||
elements: %w(p br span a),
|
elements: %w(p br span a),
|
||||||
|
|
||||||
|
@ -21,7 +36,11 @@ class Sanitize
|
||||||
|
|
||||||
protocols: {
|
protocols: {
|
||||||
'a' => { 'href' => HTTP_PROTOCOLS },
|
'a' => { 'href' => HTTP_PROTOCOLS },
|
||||||
}
|
},
|
||||||
|
|
||||||
|
transformers: [
|
||||||
|
CLASS_WHITELIST_TRANSFORMER,
|
||||||
|
]
|
||||||
)
|
)
|
||||||
|
|
||||||
MASTODON_OEMBED ||= freeze_config merge(
|
MASTODON_OEMBED ||= freeze_config merge(
|
||||||
|
|
|
@ -204,6 +204,14 @@ RSpec.describe Formatter do
|
||||||
is_expected.to_not include '<script>alert("Hello")</script>'
|
is_expected.to_not include '<script>alert("Hello")</script>'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'contains malicious classes' do
|
||||||
|
let(:text) { '<span class="status__content__spoiler-link">Show more</span>' }
|
||||||
|
|
||||||
|
it 'strips malicious classes' do
|
||||||
|
is_expected.to_not include 'status__content__spoiler-link'
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '#plaintext' do
|
describe '#plaintext' do
|
||||||
|
|
Loading…
Reference in New Issue