diff options
author | multiple creatures <dev@multiple-creature.party> | 2019-05-22 10:34:03 -0500 |
---|---|---|
committer | multiple creatures <dev@multiple-creature.party> | 2019-05-22 10:34:03 -0500 |
commit | 61ac01a6bba2955bdca901f1162eb0010a422b67 (patch) | |
tree | a5df2dfa17d120f9b56df727b55154182512f881 /app | |
parent | 7b6f8e5419bd8b0e625670b9a7ecb8ae2ee0109b (diff) |
**security** - make sure local roars always get sanitized
Diffstat (limited to 'app')
-rw-r--r-- | app/lib/formatter.rb | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb index 64afc843c..2d35a07bc 100644 --- a/app/lib/formatter.rb +++ b/app/lib/formatter.rb @@ -205,7 +205,9 @@ class Formatter html = encode_and_link_urls(html, linkable_accounts, keep_html: %w(text/markdown text/x-bbcode text/x-bbcode+markdown text/html).include?(status.content_type)) html = encode_custom_emojis(html, status.emojis, options[:autoplay]) if options[:custom_emojify] - unless %w(text/markdown text/x-bbcode text/x-bbcode+markdown text/html).include?(status.content_type) + if %w(text/markdown text/x-bbcode text/x-bbcode+markdown text/html).include?(status.content_type) + html = reformat(html) + else html = simple_format(html, {}, sanitize: false) html = html.delete("\n") end @@ -221,26 +223,22 @@ class Formatter end def format_markdown(html) - html = reformat(markdown_formatter.render(html)) - html.delete("\r").delete("\n") + html = markdown_formatter.render(html) end - def format_bbcode(html, sanitize = true) + def format_bbcode(html) html = bbcode_formatter(html) html = html.gsub(/<hr>.*<\/hr>/im, '<hr />') - return html unless sanitize - html = reformat(html) - html.delete("\r").delete("\n") end def format_bbdown(html) - html = format_bbcode(html, false) + html = format_bbcode(html) html = html.gsub(/<br *\/>|<br>/, '') format_markdown(html) end def reformat(html) - sanitize(html, Sanitize::Config::MASTODON_STRICT) + sanitize(html, Sanitize::Config::MASTODON_STRICT).delete("\r").delete("\n") end def plaintext(status) |