diff --git a/lib/pleroma/web/activity_pub/object_validators/types/safe_text.ex b/lib/pleroma/web/activity_pub/object_validators/types/safe_text.ex
index 822e8d2c1..95c948123 100644
--- a/lib/pleroma/web/activity_pub/object_validators/types/safe_text.ex
+++ b/lib/pleroma/web/activity_pub/object_validators/types/safe_text.ex
@@ -10,7 +10,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.Types.SafeText do
def type, do: :string
def cast(str) when is_binary(str) do
- {:ok, HTML.strip_tags(str)}
+ {:ok, HTML.filter_tags(str)}
end
def cast(_), do: :error
diff --git a/test/web/activity_pub/object_validator_test.exs b/test/web/activity_pub/object_validator_test.exs
index 929fdbc9b..31224abe0 100644
--- a/test/web/activity_pub/object_validator_test.exs
+++ b/test/web/activity_pub/object_validator_test.exs
@@ -113,6 +113,20 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidatorTest do
%{user: user, recipient: recipient, valid_chat_message: valid_chat_message}
end
+ test "let's through some basic html", %{user: user, recipient: recipient} do
+ {:ok, valid_chat_message, _} =
+ Builder.chat_message(
+ user,
+ recipient.ap_id,
+ "hey example "
+ )
+
+ assert {:ok, object, _meta} = ObjectValidator.validate(valid_chat_message, [])
+
+ assert object["content"] ==
+ "hey example alert('uguu')"
+ end
+
test "validates for a basic object we build", %{valid_chat_message: valid_chat_message} do
assert {:ok, object, _meta} = ObjectValidator.validate(valid_chat_message, [])
diff --git a/test/web/activity_pub/object_validators/types/safe_text_test.exs b/test/web/activity_pub/object_validators/types/safe_text_test.exs
index 59ed0a1fe..d4a574554 100644
--- a/test/web/activity_pub/object_validators/types/safe_text_test.exs
+++ b/test/web/activity_pub/object_validators/types/safe_text_test.exs
@@ -17,6 +17,13 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.Types.SafeTextTest do
assert {:ok, "hey look xss alert('foo')"} == SafeText.cast(text)
end
+ test "it keeps basic html tags" do
+ text = "hey look xss "
+
+ assert {:ok, "hey look xss alert('foo')"} ==
+ SafeText.cast(text)
+ end
+
test "errors for non-text" do
assert :error == SafeText.cast(1)
end