mastodon API: do not sanitize html in non-html fields

This commit is contained in:
rinpatch 2020-01-30 19:47:57 +03:00
parent 946de2299c
commit 983a87175e
6 changed files with 10 additions and 25 deletions

View file

@ -37,6 +37,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- **Breaking:** Admin API: `PUT /api/pleroma/admin/reports/:id` is now `PATCH /api/pleroma/admin/reports`, see admin_api.md for details - **Breaking:** Admin API: `PUT /api/pleroma/admin/reports/:id` is now `PATCH /api/pleroma/admin/reports`, see admin_api.md for details
- **Breaking:** `/api/pleroma/admin/users/invite_token` now uses `POST`, changed accepted params and returns full invite in json instead of only token string. - **Breaking:** `/api/pleroma/admin/users/invite_token` now uses `POST`, changed accepted params and returns full invite in json instead of only token string.
- **Breaking** replying to reports is now "report notes", enpoint changed from `POST /api/pleroma/admin/reports/:id/respond` to `POST /api/pleroma/admin/reports/:id/notes` - **Breaking** replying to reports is now "report notes", enpoint changed from `POST /api/pleroma/admin/reports/:id/respond` to `POST /api/pleroma/admin/reports/:id/notes`
- Mastodon API: stopped sanitizing display names, field names and subject fields since they are supposed to be treated as plaintext
- Admin API: Return `total` when querying for reports - Admin API: Return `total` when querying for reports
- Mastodon API: Return `pleroma.direct_conversation_id` when creating a direct message (`POST /api/v1/statuses`) - Mastodon API: Return `pleroma.direct_conversation_id` when creating a direct message (`POST /api/v1/statuses`)
- Admin API: Return link alongside with token on password reset - Admin API: Return link alongside with token on password reset

View file

@ -67,7 +67,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
end end
defp do_render("show.json", %{user: user} = opts) do defp do_render("show.json", %{user: user} = opts) do
display_name = HTML.strip_tags(user.name || user.nickname) display_name = user.name || user.nickname
image = User.avatar_url(user) |> MediaProxy.url() image = User.avatar_url(user) |> MediaProxy.url()
header = User.banner_url(user) |> MediaProxy.url() header = User.banner_url(user) |> MediaProxy.url()
@ -105,7 +105,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
|> User.fields() |> User.fields()
|> Enum.map(fn %{"name" => name, "value" => value} -> |> Enum.map(fn %{"name" => name, "value" => value} ->
%{ %{
"name" => Pleroma.HTML.strip_tags(name), "name" => name,
"value" => Pleroma.HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly) "value" => Pleroma.HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
} }
end) end)

View file

@ -5,7 +5,6 @@
defmodule Pleroma.Web.MastodonAPI.PollView do defmodule Pleroma.Web.MastodonAPI.PollView do
use Pleroma.Web, :view use Pleroma.Web, :view
alias Pleroma.HTML
alias Pleroma.Web.CommonAPI.Utils alias Pleroma.Web.CommonAPI.Utils
def render("show.json", %{object: object, multiple: multiple, options: options} = params) do def render("show.json", %{object: object, multiple: multiple, options: options} = params) do
@ -57,7 +56,7 @@ defmodule Pleroma.Web.MastodonAPI.PollView do
current_count = option["replies"]["totalItems"] || 0 current_count = option["replies"]["totalItems"] || 0
{%{ {%{
title: HTML.strip_tags(name), title: name,
votes_count: current_count votes_count: current_count
}, current_count + count} }, current_count + count}
end) end)

View file

@ -216,21 +216,6 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
summary = object.data["summary"] || "" summary = object.data["summary"] || ""
summary_html =
summary
|> HTML.get_cached_scrubbed_html_for_activity(
User.html_filter_policy(opts[:for]),
activity,
"mastoapi:summary"
)
summary_plaintext =
summary
|> HTML.get_cached_stripped_html_for_activity(
activity,
"mastoapi:summary"
)
card = render("card.json", Pleroma.Web.RichMedia.Helpers.fetch_data_for_activity(activity)) card = render("card.json", Pleroma.Web.RichMedia.Helpers.fetch_data_for_activity(activity))
url = url =
@ -282,7 +267,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
muted: thread_muted? || User.mutes?(opts[:for], user), muted: thread_muted? || User.mutes?(opts[:for], user),
pinned: pinned?(activity, user), pinned: pinned?(activity, user),
sensitive: sensitive, sensitive: sensitive,
spoiler_text: summary_html, spoiler_text: summary,
visibility: get_visibility(object), visibility: get_visibility(object),
media_attachments: attachments, media_attachments: attachments,
poll: render(PollView, "show.json", object: object, for: opts[:for]), poll: render(PollView, "show.json", object: object, for: opts[:for]),
@ -299,7 +284,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
conversation_id: get_context_id(activity), conversation_id: get_context_id(activity),
in_reply_to_account_acct: reply_to_user && reply_to_user.nickname, in_reply_to_account_acct: reply_to_user && reply_to_user.nickname,
content: %{"text/plain" => content_plaintext}, content: %{"text/plain" => content_plaintext},
spoiler_text: %{"text/plain" => summary_plaintext}, spoiler_text: %{"text/plain" => summary},
expires_at: expires_at, expires_at: expires_at,
direct_conversation_id: direct_conversation_id, direct_conversation_id: direct_conversation_id,
thread_muted: thread_muted?, thread_muted: thread_muted?,

View file

@ -269,7 +269,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
|> json_response(200) |> json_response(200)
assert account_data["fields"] == [ assert account_data["fields"] == [
%{"name" => "foo", "value" => "bar"}, %{"name" => "<a href=\"http://google.com\">foo</a>", "value" => "bar"},
%{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)} %{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)}
] ]
@ -297,7 +297,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
|> json_response(200) |> json_response(200)
assert account["fields"] == [ assert account["fields"] == [
%{"name" => "foo", "value" => "bar"}, %{"name" => "<a href=\"http://google.com\">foo</a>", "value" => "bar"},
%{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)} %{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)}
] ]

View file

@ -368,10 +368,10 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
assert result.pleroma[:settings_store] == nil assert result.pleroma[:settings_store] == nil
end end
test "sanitizes display names" do test "doesn't sanitize display names" do
user = insert(:user, name: "<marquee> username </marquee>") user = insert(:user, name: "<marquee> username </marquee>")
result = AccountView.render("show.json", %{user: user}) result = AccountView.render("show.json", %{user: user})
refute result.display_name == "<marquee> username </marquee>" assert result.display_name == "<marquee> username </marquee>"
end end
test "never display nil user follow counts" do test "never display nil user follow counts" do