scrubbers: Scrub img class attribute
Closes: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3790
This commit is contained in:
parent
59b8c920f6
commit
508b438b53
3 changed files with 30 additions and 2 deletions
|
@ -64,13 +64,14 @@ defmodule Pleroma.HTML.Scrubber.Default do
|
||||||
@allow_inline_images Pleroma.Config.get([:markup, :allow_inline_images])
|
@allow_inline_images Pleroma.Config.get([:markup, :allow_inline_images])
|
||||||
|
|
||||||
if @allow_inline_images do
|
if @allow_inline_images do
|
||||||
|
Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"])
|
||||||
|
|
||||||
# restrict img tags to http/https only, because of MediaProxy.
|
# restrict img tags to http/https only, because of MediaProxy.
|
||||||
Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
|
Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
|
||||||
|
|
||||||
Meta.allow_tag_with_these_attributes(:img, [
|
Meta.allow_tag_with_these_attributes(:img, [
|
||||||
"width",
|
"width",
|
||||||
"height",
|
"height",
|
||||||
"class",
|
|
||||||
"title",
|
"title",
|
||||||
"alt"
|
"alt"
|
||||||
])
|
])
|
||||||
|
|
|
@ -41,13 +41,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
|
||||||
|
|
||||||
# allow inline images for custom emoji
|
# allow inline images for custom emoji
|
||||||
if Pleroma.Config.get([:markup, :allow_inline_images]) do
|
if Pleroma.Config.get([:markup, :allow_inline_images]) do
|
||||||
|
Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"])
|
||||||
|
|
||||||
# restrict img tags to http/https only, because of MediaProxy.
|
# restrict img tags to http/https only, because of MediaProxy.
|
||||||
Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
|
Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
|
||||||
|
|
||||||
Meta.allow_tag_with_these_attributes(:img, [
|
Meta.allow_tag_with_these_attributes(:img, [
|
||||||
"width",
|
"width",
|
||||||
"height",
|
"height",
|
||||||
"class",
|
|
||||||
"title",
|
"title",
|
||||||
"alt"
|
"alt"
|
||||||
])
|
])
|
||||||
|
|
|
@ -17,6 +17,7 @@ defmodule Pleroma.HTMLTest do
|
||||||
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
||||||
this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
|
this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
|
||||||
this is an image: <img src="http://example.com/image.jpg"><br />
|
this is an image: <img src="http://example.com/image.jpg"><br />
|
||||||
|
this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"><br />
|
||||||
<script>alert('hacked')</script>
|
<script>alert('hacked')</script>
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
@ -24,6 +25,10 @@ defmodule Pleroma.HTMLTest do
|
||||||
<img src="http://example.com/image.jpg" onerror="alert('hacked')">
|
<img src="http://example.com/image.jpg" onerror="alert('hacked')">
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
@html_stillimage_sample """
|
||||||
|
<img class="still-image" src="http://example.com/image.jpg">
|
||||||
|
"""
|
||||||
|
|
||||||
@html_span_class_sample """
|
@html_span_class_sample """
|
||||||
<span class="animate-spin">hi</span>
|
<span class="animate-spin">hi</span>
|
||||||
"""
|
"""
|
||||||
|
@ -45,6 +50,7 @@ defmodule Pleroma.HTMLTest do
|
||||||
this is a link with allowed "rel" attribute: example.com
|
this is a link with allowed "rel" attribute: example.com
|
||||||
this is a link with not allowed "rel" attribute: example.com
|
this is a link with not allowed "rel" attribute: example.com
|
||||||
this is an image:
|
this is an image:
|
||||||
|
this is an inline emoji:
|
||||||
alert('hacked')
|
alert('hacked')
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
@ -67,6 +73,7 @@ defmodule Pleroma.HTMLTest do
|
||||||
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
||||||
this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
|
this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
|
||||||
this is an image: <img src="http://example.com/image.jpg"/><br/>
|
this is an image: <img src="http://example.com/image.jpg"/><br/>
|
||||||
|
this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/>
|
||||||
alert('hacked')
|
alert('hacked')
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
@ -90,6 +97,15 @@ defmodule Pleroma.HTMLTest do
|
||||||
HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
|
HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "does not allow images with invalid classes" do
|
||||||
|
expected = """
|
||||||
|
<img src="http://example.com/image.jpg"/>
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected ==
|
||||||
|
HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||||
|
end
|
||||||
|
|
||||||
test "does allow microformats" do
|
test "does allow microformats" do
|
||||||
expected = """
|
expected = """
|
||||||
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
|
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
|
||||||
|
@ -121,6 +137,7 @@ defmodule Pleroma.HTMLTest do
|
||||||
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
||||||
this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
|
this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
|
||||||
this is an image: <img src="http://example.com/image.jpg"/><br/>
|
this is an image: <img src="http://example.com/image.jpg"/><br/>
|
||||||
|
this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/>
|
||||||
alert('hacked')
|
alert('hacked')
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
@ -143,6 +160,15 @@ defmodule Pleroma.HTMLTest do
|
||||||
assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
|
assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "does not allow images with invalid classes" do
|
||||||
|
expected = """
|
||||||
|
<img src="http://example.com/image.jpg"/>
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected ==
|
||||||
|
HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||||
|
end
|
||||||
|
|
||||||
test "does allow microformats" do
|
test "does allow microformats" do
|
||||||
expected = """
|
expected = """
|
||||||
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
|
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
|
||||||
|
|
Loading…
Reference in a new issue