SafeText: Let through basic html.

This commit is contained in:
lain 2020-05-30 12:17:18 +02:00
parent 32431ad1ee
commit 2c9465cc51
3 changed files with 22 additions and 1 deletions

View file

@ -10,7 +10,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.Types.SafeText do
def type, do: :string def type, do: :string
def cast(str) when is_binary(str) do def cast(str) when is_binary(str) do
{:ok, HTML.strip_tags(str)} {:ok, HTML.filter_tags(str)}
end end
def cast(_), do: :error def cast(_), do: :error

View file

@ -113,6 +113,20 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidatorTest do
%{user: user, recipient: recipient, valid_chat_message: valid_chat_message} %{user: user, recipient: recipient, valid_chat_message: valid_chat_message}
end end
test "let's through some basic html", %{user: user, recipient: recipient} do
{:ok, valid_chat_message, _} =
Builder.chat_message(
user,
recipient.ap_id,
"hey <a href='https://example.org'>example</a> <script>alert('uguu')</script>"
)
assert {:ok, object, _meta} = ObjectValidator.validate(valid_chat_message, [])
assert object["content"] ==
"hey <a href=\"https://example.org\">example</a> alert(&#39;uguu&#39;)"
end
test "validates for a basic object we build", %{valid_chat_message: valid_chat_message} do test "validates for a basic object we build", %{valid_chat_message: valid_chat_message} do
assert {:ok, object, _meta} = ObjectValidator.validate(valid_chat_message, []) assert {:ok, object, _meta} = ObjectValidator.validate(valid_chat_message, [])

View file

@ -17,6 +17,13 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.Types.SafeTextTest do
assert {:ok, "hey look xss alert(&#39;foo&#39;)"} == SafeText.cast(text) assert {:ok, "hey look xss alert(&#39;foo&#39;)"} == SafeText.cast(text)
end end
test "it keeps basic html tags" do
text = "hey <a href='http://gensokyo.2hu'>look</a> xss <script>alert('foo')</script>"
assert {:ok, "hey <a href=\"http://gensokyo.2hu\">look</a> xss alert(&#39;foo&#39;)"} ==
SafeText.cast(text)
end
test "errors for non-text" do test "errors for non-text" do
assert :error == SafeText.cast(1) assert :error == SafeText.cast(1)
end end