about summary refs log tree commit diff
path: root/app
diff options
context:
space:
mode:
authormultiple creatures <dev@multiple-creature.party>2019-05-22 10:34:03 -0500
committermultiple creatures <dev@multiple-creature.party>2019-05-22 10:34:03 -0500
commit61ac01a6bba2955bdca901f1162eb0010a422b67 (patch)
treea5df2dfa17d120f9b56df727b55154182512f881 /app
parent7b6f8e5419bd8b0e625670b9a7ecb8ae2ee0109b (diff)
**security** - make sure local roars always get sanitized
Diffstat (limited to 'app')
-rw-r--r--app/lib/formatter.rb16
1 files changed, 7 insertions, 9 deletions
diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb
index 64afc843c..2d35a07bc 100644
--- a/app/lib/formatter.rb
+++ b/app/lib/formatter.rb
@@ -205,7 +205,9 @@ class Formatter
     html = encode_and_link_urls(html, linkable_accounts, keep_html: %w(text/markdown text/x-bbcode text/x-bbcode+markdown text/html).include?(status.content_type))
     html = encode_custom_emojis(html, status.emojis, options[:autoplay]) if options[:custom_emojify]
 
-    unless %w(text/markdown text/x-bbcode text/x-bbcode+markdown text/html).include?(status.content_type)
+    if %w(text/markdown text/x-bbcode text/x-bbcode+markdown text/html).include?(status.content_type)
+      html = reformat(html)
+    else
       html = simple_format(html, {}, sanitize: false)
       html = html.delete("\n")
     end
@@ -221,26 +223,22 @@ class Formatter
   end
 
   def format_markdown(html)
-    html = reformat(markdown_formatter.render(html))
-    html.delete("\r").delete("\n")
+    html = markdown_formatter.render(html)
   end
 
-  def format_bbcode(html, sanitize = true)
+  def format_bbcode(html)
     html = bbcode_formatter(html)
     html = html.gsub(/<hr>.*<\/hr>/im, '<hr />')
-    return html unless sanitize
-    html = reformat(html)
-    html.delete("\r").delete("\n")
   end
 
   def format_bbdown(html)
-    html = format_bbcode(html, false)
+    html = format_bbcode(html)
     html = html.gsub(/<br *\/>|<br>/, '')
     format_markdown(html)
   end
 
   def reformat(html)
-    sanitize(html, Sanitize::Config::MASTODON_STRICT)
+    sanitize(html, Sanitize::Config::MASTODON_STRICT).delete("\r").delete("\n")
   end
 
   def plaintext(status)