From 983a87175e6f83da1828630cbaad4b33b04c6d81 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Thu, 30 Jan 2020 19:47:57 +0300 Subject: [PATCH] mastodon API: do not sanitize html in non-html fields --- CHANGELOG.md | 1 + .../web/mastodon_api/views/account_view.ex | 4 ++-- .../web/mastodon_api/views/poll_view.ex | 3 +-- .../web/mastodon_api/views/status_view.ex | 19 ++----------------- .../update_credentials_test.exs | 4 ++-- .../mastodon_api/views/account_view_test.exs | 4 ++-- 6 files changed, 10 insertions(+), 25 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68ebb03a7..917e5d4ef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - **Breaking:** Admin API: `PUT /api/pleroma/admin/reports/:id` is now `PATCH /api/pleroma/admin/reports`, see admin_api.md for details - **Breaking:** `/api/pleroma/admin/users/invite_token` now uses `POST`, changed accepted params and returns full invite in json instead of only token string. - **Breaking** replying to reports is now "report notes", enpoint changed from `POST /api/pleroma/admin/reports/:id/respond` to `POST /api/pleroma/admin/reports/:id/notes` +- Mastodon API: stopped sanitizing display names, field names and subject fields since they are supposed to be treated as plaintext - Admin API: Return `total` when querying for reports - Mastodon API: Return `pleroma.direct_conversation_id` when creating a direct message (`POST /api/v1/statuses`) - Admin API: Return link alongside with token on password reset diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex index a5420f480..c6d37ead7 100644 --- a/lib/pleroma/web/mastodon_api/views/account_view.ex +++ b/lib/pleroma/web/mastodon_api/views/account_view.ex @@ -67,7 +67,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do end defp do_render("show.json", %{user: user} = opts) do - display_name = HTML.strip_tags(user.name || user.nickname) + display_name = user.name || user.nickname image = User.avatar_url(user) |> MediaProxy.url() header = User.banner_url(user) |> MediaProxy.url() @@ -105,7 +105,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do |> User.fields() |> Enum.map(fn %{"name" => name, "value" => value} -> %{ - "name" => Pleroma.HTML.strip_tags(name), + "name" => name, "value" => Pleroma.HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly) } end) diff --git a/lib/pleroma/web/mastodon_api/views/poll_view.ex b/lib/pleroma/web/mastodon_api/views/poll_view.ex index 753039da3..6bb3652fb 100644 --- a/lib/pleroma/web/mastodon_api/views/poll_view.ex +++ b/lib/pleroma/web/mastodon_api/views/poll_view.ex @@ -5,7 +5,6 @@ defmodule Pleroma.Web.MastodonAPI.PollView do use Pleroma.Web, :view - alias Pleroma.HTML alias Pleroma.Web.CommonAPI.Utils def render("show.json", %{object: object, multiple: multiple, options: options} = params) do @@ -57,7 +56,7 @@ defmodule Pleroma.Web.MastodonAPI.PollView do current_count = option["replies"]["totalItems"] || 0 {%{ - title: HTML.strip_tags(name), + title: name, votes_count: current_count }, current_count + count} end) diff --git a/lib/pleroma/web/mastodon_api/views/status_view.ex b/lib/pleroma/web/mastodon_api/views/status_view.ex index e60ef709b..721e9f566 100644 --- a/lib/pleroma/web/mastodon_api/views/status_view.ex +++ b/lib/pleroma/web/mastodon_api/views/status_view.ex @@ -216,21 +216,6 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do summary = object.data["summary"] || "" - summary_html = - summary - |> HTML.get_cached_scrubbed_html_for_activity( - User.html_filter_policy(opts[:for]), - activity, - "mastoapi:summary" - ) - - summary_plaintext = - summary - |> HTML.get_cached_stripped_html_for_activity( - activity, - "mastoapi:summary" - ) - card = render("card.json", Pleroma.Web.RichMedia.Helpers.fetch_data_for_activity(activity)) url = @@ -282,7 +267,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do muted: thread_muted? || User.mutes?(opts[:for], user), pinned: pinned?(activity, user), sensitive: sensitive, - spoiler_text: summary_html, + spoiler_text: summary, visibility: get_visibility(object), media_attachments: attachments, poll: render(PollView, "show.json", object: object, for: opts[:for]), @@ -299,7 +284,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do conversation_id: get_context_id(activity), in_reply_to_account_acct: reply_to_user && reply_to_user.nickname, content: %{"text/plain" => content_plaintext}, - spoiler_text: %{"text/plain" => summary_plaintext}, + spoiler_text: %{"text/plain" => summary}, expires_at: expires_at, direct_conversation_id: direct_conversation_id, thread_muted: thread_muted?, diff --git a/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs b/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs index 09bdc46e0..82d9e7d2f 100644 --- a/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs +++ b/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs @@ -269,7 +269,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do |> json_response(200) assert account_data["fields"] == [ - %{"name" => "foo", "value" => "bar"}, + %{"name" => "foo", "value" => "bar"}, %{"name" => "link", "value" => ~S(cofe.io)} ] @@ -297,7 +297,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do |> json_response(200) assert account["fields"] == [ - %{"name" => "foo", "value" => "bar"}, + %{"name" => "foo", "value" => "bar"}, %{"name" => "link", "value" => ~S(cofe.io)} ] diff --git a/test/web/mastodon_api/views/account_view_test.exs b/test/web/mastodon_api/views/account_view_test.exs index 2107bb85c..00c294845 100644 --- a/test/web/mastodon_api/views/account_view_test.exs +++ b/test/web/mastodon_api/views/account_view_test.exs @@ -368,10 +368,10 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do assert result.pleroma[:settings_store] == nil end - test "sanitizes display names" do + test "doesn't sanitize display names" do user = insert(:user, name: " username ") result = AccountView.render("show.json", %{user: user}) - refute result.display_name == " username " + assert result.display_name == " username " end test "never display nil user follow counts" do