static_fe: Sanitize HTML in posts

Note: Seems to have different sanitization with TwitterCard generator giving
the following:

<meta content=\"“alert(&#39;xss&#39;)”\" property=\"twitter:description\">
This commit is contained in:
Haelwenn (lanodan) Monnier 2020-03-15 15:45:57 +01:00
parent fa4ec17c84
commit 0ac6e29654
2 changed files with 21 additions and 1 deletions

View File

@ -58,10 +58,17 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do
_ -> data["url"] || data["external_url"] || data["id"] _ -> data["url"] || data["external_url"] || data["id"]
end end
content =
if data["content"] do
Pleroma.HTML.filter_tags(data["content"])
else
nil
end
%{ %{
user: user, user: user,
title: get_title(activity.object), title: get_title(activity.object),
content: data["content"] || nil, content: content,
attachment: data["attachment"], attachment: data["attachment"],
link: link, link: link,
published: data["published"], published: data["published"],

View File

@ -92,6 +92,19 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
assert html =~ "testing a thing!" assert html =~ "testing a thing!"
end end
test "filters HTML tags", %{conn: conn} do
user = insert(:user)
{:ok, activity} = CommonAPI.post(user, %{"status" => "<script>alert('xss')</script>"})
conn =
conn
|> put_req_header("accept", "text/html")
|> get("/notice/#{activity.id}")
html = html_response(conn, 200)
assert html =~ ~s[&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;]
end
test "shows the whole thread", %{conn: conn, user: user} do test "shows the whole thread", %{conn: conn, user: user} do
{:ok, activity} = CommonAPI.post(user, %{"status" => "space: the final frontier"}) {:ok, activity} = CommonAPI.post(user, %{"status" => "space: the final frontier"})