diff options
author | nightpool <eg1290@gmail.com> | 2017-06-17 14:26:05 -0400 |
---|---|---|
committer | Eugen Rochko <eugen@zeonfederated.com> | 2017-06-17 20:26:05 +0200 |
commit | 94d0e012dea89058b9c059636fb6d42f6565e534 (patch) | |
tree | d14c43d4177eefcfa3b981d757753df731e693d8 | |
parent | 8fd931dc126d0f90417a6614bd21bb945543e4f4 (diff) |
Whitelist allowed classes for federated statuses (#3810)
* Whitelist allowed classes for federated statuses Allowed classes are currently: - Any microformats class (h/p/u/dt/e-*) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved #3790 * Fix code style
-rw-r--r-- | app/lib/sanitize_config.rb | 21 | ||||
-rw-r--r-- | spec/lib/formatter_spec.rb | 8 |
2 files changed, 28 insertions, 1 deletions
diff --git a/app/lib/sanitize_config.rb b/app/lib/sanitize_config.rb index 9cf9b3db0..f09288fcd 100644 --- a/app/lib/sanitize_config.rb +++ b/app/lib/sanitize_config.rb @@ -4,6 +4,21 @@ class Sanitize module Config HTTP_PROTOCOLS ||= ['http', 'https', :relative].freeze + CLASS_WHITELIST_TRANSFORMER = lambda do |env| + node = env[:node] + class_list = node['class']&.split(' ') + + return unless class_list + + class_list.keep_if do |e| + return true if e =~ /^(h|p|u|dt|e)-/ # microformats classes + return true if e =~ /^(mention|hashtag)$/ # semantic classes + return true if e =~ /^(ellipsis|invisible)$/ # link formatting classes + end + + node['class'] = class_list.join(' ') + end + MASTODON_STRICT ||= freeze_config( elements: %w(p br span a), @@ -21,7 +36,11 @@ class Sanitize protocols: { 'a' => { 'href' => HTTP_PROTOCOLS }, - } + }, + + transformers: [ + CLASS_WHITELIST_TRANSFORMER, + ] ) MASTODON_OEMBED ||= freeze_config merge( diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb index cc32f7fd6..dfe1d8b8f 100644 --- a/spec/lib/formatter_spec.rb +++ b/spec/lib/formatter_spec.rb @@ -204,6 +204,14 @@ RSpec.describe Formatter do is_expected.to_not include '<script>alert("Hello")</script>' end end + + context 'contains malicious classes' do + let(:text) { '<span class="status__content__spoiler-link">Show more</span>' } + + it 'strips malicious classes' do + is_expected.to_not include 'status__content__spoiler-link' + end + end end describe '#plaintext' do |