Whitelist allowed classes for federated statuses (#3810)

* Whitelist allowed classes for federated statuses

Allowed classes are currently:

 - Any microformats class (h/p/u/dt/e-*)
 - the classes mention, hashtag, ellipses and invisible.

this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text.

resolved #3790

* Fix code style

1 files changed, 8 insertions, 0 deletions

diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb
index cc32f7fd6..dfe1d8b8f 100644
--- a/spec/lib/formatter_spec.rb
+++ b/spec/lib/formatter_spec.rb
@@ -204,6 +204,14 @@ RSpec.describe Formatter do
         is_expected.to_not include '<script>alert("Hello")</script>'
       end
     end
+
+    context 'contains malicious classes' do
+      let(:text) { '<span class="status__content__spoiler-link">Show more</span>' }
+
+      it 'strips malicious classes' do
+        is_expected.to_not include 'status__content__spoiler-link'
+      end
+    end
   end
 
   describe '#plaintext' do