Make sanitizer *not* add no-referrer etc. in local markdown toots if the link is “safe”

signup-info-prompt
Thibaut Girka 2020-03-22 17:56:49 +01:00 committed by ThibG
parent 2c510ee00a
commit 02f1c04fab
3 changed files with 20 additions and 6 deletions

View File

@ -59,7 +59,7 @@ class Formatter
html = "RT @#{prepend_reblog} #{html}" if prepend_reblog html = "RT @#{prepend_reblog} #{html}" if prepend_reblog
html = format_markdown(html) if status.content_type == 'text/markdown' html = format_markdown(html) if status.content_type == 'text/markdown'
html = encode_and_link_urls(html, linkable_accounts, keep_html: %w(text/markdown text/html).include?(status.content_type)) html = encode_and_link_urls(html, linkable_accounts, keep_html: %w(text/markdown text/html).include?(status.content_type))
html = reformat(html) if %w(text/markdown text/html).include?(status.content_type) html = reformat(html, true) if %w(text/markdown text/html).include?(status.content_type)
html = encode_custom_emojis(html, status.emojis, options[:autoplay]) if options[:custom_emojify] html = encode_custom_emojis(html, status.emojis, options[:autoplay]) if options[:custom_emojify]
unless %w(text/markdown text/html).include?(status.content_type) unless %w(text/markdown text/html).include?(status.content_type)
@ -75,8 +75,8 @@ class Formatter
html.delete("\r").delete("\n") html.delete("\r").delete("\n")
end end
def reformat(html) def reformat(html, outgoing = false)
sanitize(html, Sanitize::Config::MASTODON_STRICT) sanitize(html, Sanitize::Config::MASTODON_STRICT.merge(outgoing: outgoing))
rescue ArgumentError rescue ArgumentError
'' ''
end end

View File

@ -60,7 +60,10 @@ class Sanitize
node = env[:node] node = env[:node]
rel = (node['rel'] || '').split(' ') & ['tag'] rel = (node['rel'] || '').split(' ') & ['tag']
node['rel'] = (['nofollow', 'noopener', 'noreferrer'] + rel).join(' ') unless env[:config][:outgoing] && TagManager.instance.local_url?(node['href'])
rel += ['nofollow', 'noopener', 'noreferrer']
end
node['rel'] = rel.join(' ')
end end
UNSUPPORTED_HREF_TRANSFORMER = lambda do |env| UNSUPPORTED_HREF_TRANSFORMER = lambda do |env|
@ -103,8 +106,8 @@ class Sanitize
transformers: [ transformers: [
CLASS_WHITELIST_TRANSFORMER, CLASS_WHITELIST_TRANSFORMER,
IMG_TAG_TRANSFORMER, IMG_TAG_TRANSFORMER,
LINK_REL_TRANSFORMER,
UNSUPPORTED_HREF_TRANSFORMER, UNSUPPORTED_HREF_TRANSFORMER,
LINK_REL_TRANSFORMER,
] ]
) )

View File

@ -7,6 +7,12 @@ describe Sanitize::Config do
describe '::MASTODON_STRICT' do describe '::MASTODON_STRICT' do
subject { Sanitize::Config::MASTODON_STRICT } subject { Sanitize::Config::MASTODON_STRICT }
around do |example|
original_web_domain = Rails.configuration.x.web_domain
example.run
Rails.configuration.x.web_domain = original_web_domain
end
it 'keeps h1' do it 'keeps h1' do
expect(Sanitize.fragment('<h1>Foo</h1>', subject)).to eq '<h1>Foo</h1>' expect(Sanitize.fragment('<h1>Foo</h1>', subject)).to eq '<h1>Foo</h1>'
end end
@ -32,7 +38,12 @@ describe Sanitize::Config do
end end
it 'keeps a with href and rel tag' do it 'keeps a with href and rel tag' do
expect(Sanitize.fragment('<a href="http://example.com" rel="tag">Test</a>', subject)).to eq '<a href="http://example.com" rel="nofollow noopener noreferrer tag" target="_blank">Test</a>' expect(Sanitize.fragment('<a href="http://example.com" rel="tag">Test</a>', subject)).to eq '<a href="http://example.com" rel="tag nofollow noopener noreferrer" target="_blank">Test</a>'
end
it 'keeps a with href and rel tag, not adding to rel if url is local' do
Rails.configuration.x.web_domain = 'domain.test'
expect(Sanitize.fragment('<a href="http://domain.test/tags/foo" rel="tag">Test</a>', subject.merge(outgoing: true))).to eq '<a href="http://domain.test/tags/foo" rel="tag" target="_blank">Test</a>'
end end
end end
end end