Merge branch 'bugfix/html-scrub-schemes' into 'develop'

lib/pleroma/html.ex: Fix scheme lists See merge request pleroma/pleroma!377
2018-10-18 14:36:40 +00:00 · 2018-10-18 14:36:40 +00:00 · ad3181895c
parent 6098070234 595d855f0e
commit ad3181895c
3 changed files with 34 additions and 31 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -24,7 +24,23 @@ config :pleroma, Pleroma.Uploaders.S3,

 config :pleroma, :emoji, shortcode_globs: ["/emoji/custom/**/*.png"]

-config :pleroma, :uri_schemes, additionnal_schemes: []
+config :pleroma, :uri_schemes,
+  valid_schemes: [
+    "https",
+    "http",
+    "dat",
+    "dweb",
+    "gopher",
+    "ipfs",
+    "ipns",
+    "irc",
+    "ircs",
+    "magnet",
+    "mailto",
+    "mumble",
+    "ssb",
+    "xmpp"
+  ]

 # Configures the endpoint
 config :pleroma, Pleroma.Web.Endpoint,
--- a/lib/pleroma/formatter.ex
+++ b/lib/pleroma/formatter.ex
@ -171,25 +171,8 @@ defmodule Pleroma.Formatter do

  @link_regex ~r/[0-9a-z+\-\.]+:[0-9a-z$-_.+!*'(),]+/ui

-  # IANA got a list https://www.iana.org/assignments/uri-schemes/ but
-  # Stuff like ipfs isn’t in it
-  # There is very niche stuff
-  @uri_schemes [
-    "https://",
-    "http://",
-    "dat://",
-    "dweb://",
-    "gopher://",
-    "ipfs://",
-    "ipns://",
-    "irc:",
-    "ircs:",
-    "magnet:",
-    "mailto:",
-    "mumble:",
-    "ssb://",
-    "xmpp:"
-  ]
+  @uri_schemes Application.get_env(:pleroma, :uri_schemes, [])
+  @valid_schemes Keyword.get(@uri_schemes, :valid_schemes, [])

  # TODO: make it use something other than @link_regex
  def html_escape(text, "text/html") do
@ -207,14 +190,10 @@ defmodule Pleroma.Formatter do

  @doc "changes scheme:... urls to html links"
  def add_links({subs, text}) do
-    additionnal_schemes =
-      Application.get_env(:pleroma, :uri_schemes, [])
-      |> Keyword.get(:additionnal_schemes, [])
-
    links =
      text
      |> String.split([" ", "\t", "<br>"])
-      |> Enum.filter(fn word -> String.starts_with?(word, @uri_schemes ++ additionnal_schemes) end)
+      |> Enum.filter(fn word -> String.starts_with?(word, @valid_schemes) end)
      |> Enum.filter(fn word -> Regex.match?(@link_regex, word) end)
      |> Enum.map(fn url -> {Ecto.UUID.generate(), url} end)
      |> Enum.sort_by(fn {_, url} -> -String.length(url) end)
--- a/lib/pleroma/html.ex
+++ b/lib/pleroma/html.ex
@ -36,10 +36,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
  paragraphs, breaks and links are allowed through the filter.
  """

+  @markup Application.get_env(:pleroma, :markup)
+  @uri_schemes Application.get_env(:pleroma, :uri_schemes, [])
+  @valid_schemes Keyword.get(@uri_schemes, :valid_schemes, [])
+
  require HtmlSanitizeEx.Scrubber.Meta
  alias HtmlSanitizeEx.Scrubber.Meta

-  @valid_schemes ["http", "https"]
+  alias Pleroma.HTML

  Meta.remove_cdata_sections_before_scrub()
  Meta.strip_comments()
@ -56,11 +60,11 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
  Meta.allow_tag_with_these_attributes("span", [])

  # allow inline images for custom emoji
-  @markup Application.get_env(:pleroma, :markup)
  @allow_inline_images Keyword.get(@markup, :allow_inline_images)

  if @allow_inline_images do
-    Meta.allow_tag_with_uri_attributes("img", ["src"], @valid_schemes)
+    # restrict img tags to http/https only, because of MediaProxy.
+    Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"])

    Meta.allow_tag_with_these_attributes("img", [
      "width",
@ -79,7 +83,11 @@ defmodule Pleroma.HTML.Scrubber.Default do
  require HtmlSanitizeEx.Scrubber.Meta
  alias HtmlSanitizeEx.Scrubber.Meta

-  @valid_schemes ["http", "https"]
+  alias Pleroma.HTML
+
+  @markup Application.get_env(:pleroma, :markup)
+  @uri_schemes Application.get_env(:pleroma, :uri_schemes, [])
+  @valid_schemes Keyword.get(@uri_schemes, :valid_schemes, [])

  Meta.remove_cdata_sections_before_scrub()
  Meta.strip_comments()
@ -103,11 +111,11 @@ defmodule Pleroma.HTML.Scrubber.Default do
  Meta.allow_tag_with_these_attributes("u", [])
  Meta.allow_tag_with_these_attributes("ul", [])

-  @markup Application.get_env(:pleroma, :markup)
  @allow_inline_images Keyword.get(@markup, :allow_inline_images)

  if @allow_inline_images do
-    Meta.allow_tag_with_uri_attributes("img", ["src"], @valid_schemes)
+    # restrict img tags to http/https only, because of MediaProxy.
+    Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"])

    Meta.allow_tag_with_these_attributes("img", [
      "width",