static_fe: Sanitize HTML in posts

Note: Seems to have different sanitization with TwitterCard generator giving the following: <meta content=\"“alert('xss')”\" property=\"twitter:description\">
2020-03-15 15:45:57 +01:00 · 2020-03-15 15:45:57 +01:00 · 0ac6e29654
parent fa4ec17c84
commit 0ac6e29654
2 changed files with 21 additions and 1 deletions
--- a/lib/pleroma/web/static_fe/static_fe_controller.ex
+++ b/lib/pleroma/web/static_fe/static_fe_controller.ex
@ -58,10 +58,17 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do
        _ -> data["url"] || data["external_url"] || data["id"]
      end

+    content =
+      if data["content"] do
+        Pleroma.HTML.filter_tags(data["content"])
+      else
+        nil
+      end
+
    %{
      user: user,
      title: get_title(activity.object),
-      content: data["content"] || nil,
+      content: content,
      attachment: data["attachment"],
      link: link,
      published: data["published"],
--- a/test/web/static_fe/static_fe_controller_test.exs
+++ b/test/web/static_fe/static_fe_controller_test.exs
@ -92,6 +92,19 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
      assert html =~ "testing a thing!"
    end

+    test "filters HTML tags", %{conn: conn} do
+      user = insert(:user)
+      {:ok, activity} = CommonAPI.post(user, %{"status" => "<script>alert('xss')</script>"})
+
+      conn =
+        conn
+        |> put_req_header("accept", "text/html")
+        |> get("/notice/#{activity.id}")
+
+      html = html_response(conn, 200)
+      assert html =~ ~s[&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;]
+    end
+
    test "shows the whole thread", %{conn: conn, user: user} do
      {:ok, activity} = CommonAPI.post(user, %{"status" => "space: the final frontier"})