about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--app/lib/sanitize_config.rb2
-rw-r--r--app/lib/tag_manager.rb1
-rw-r--r--spec/lib/sanitize_config_spec.rb38
3 files changed, 30 insertions, 11 deletions
diff --git a/app/lib/sanitize_config.rb b/app/lib/sanitize_config.rb
index 34793ed93..dfd8b9f91 100644
--- a/app/lib/sanitize_config.rb
+++ b/app/lib/sanitize_config.rb
@@ -55,7 +55,7 @@ class Sanitize
     end
 
     LINK_REL_TRANSFORMER = lambda do |env|
-      return unless env[:node_name] == 'a'
+      return unless env[:node_name] == 'a' and env[:node]['href']
 
       node = env[:node]
 
diff --git a/app/lib/tag_manager.rb b/app/lib/tag_manager.rb
index d06bea059..29dde128c 100644
--- a/app/lib/tag_manager.rb
+++ b/app/lib/tag_manager.rb
@@ -32,6 +32,7 @@ class TagManager
 
   def local_url?(url)
     uri    = Addressable::URI.parse(url).normalize
+    return false unless uri.host
     domain = uri.host + (uri.port ? ":#{uri.port}" : '')
 
     TagManager.instance.web_domain?(domain)
diff --git a/spec/lib/sanitize_config_spec.rb b/spec/lib/sanitize_config_spec.rb
index 7370c536b..28a548c49 100644
--- a/spec/lib/sanitize_config_spec.rb
+++ b/spec/lib/sanitize_config_spec.rb
@@ -4,15 +4,7 @@ require 'rails_helper'
 require Rails.root.join('app', 'lib', 'sanitize_config.rb')
 
 describe Sanitize::Config do
-  describe '::MASTODON_STRICT' do
-    subject { Sanitize::Config::MASTODON_STRICT }
-
-    around do |example|
-      original_web_domain = Rails.configuration.x.web_domain
-      example.run
-      Rails.configuration.x.web_domain = original_web_domain
-    end
-
+  shared_examples 'common HTML sanitization' do
     it 'keeps h1' do
       expect(Sanitize.fragment('<h1>Foo</h1>', subject)).to eq '<h1>Foo</h1>'
     end
@@ -37,13 +29,39 @@ describe Sanitize::Config do
       expect(Sanitize.fragment('<a href="http://example.com">Test</a>', subject)).to eq '<a href="http://example.com" rel="nofollow noopener noreferrer" target="_blank">Test</a>'
     end
 
+    it 'removes a with unparsable href' do
+      expect(Sanitize.fragment('<a href=" https://google.fr">Test</a>', subject)).to eq 'Test'
+    end
+
+    it 'keeps a with supported scheme and no host' do
+      expect(Sanitize.fragment('<a href="dweb:/a/foo">Test</a>', subject)).to eq '<a href="dweb:/a/foo" rel="nofollow noopener noreferrer" target="_blank">Test</a>'
+    end
+  end
+
+  describe '::MASTODON_STRICT' do
+    subject { Sanitize::Config::MASTODON_STRICT }
+
+    it_behaves_like 'common HTML sanitization'
+
     it 'keeps a with href and rel tag' do
       expect(Sanitize.fragment('<a href="http://example.com" rel="tag">Test</a>', subject)).to eq '<a href="http://example.com" rel="tag nofollow noopener noreferrer" target="_blank">Test</a>'
     end
+  end
+
+  describe '::MASTODON_STRICT with outgoing toots' do
+    subject { Sanitize::Config::MASTODON_STRICT.merge(outgoing: true) }
+
+    around do |example|
+      original_web_domain = Rails.configuration.x.web_domain
+      example.run
+      Rails.configuration.x.web_domain = original_web_domain
+    end
+
+    it_behaves_like 'common HTML sanitization'
 
     it 'keeps a with href and rel tag, not adding to rel if url is local' do
       Rails.configuration.x.web_domain = 'domain.test'
-      expect(Sanitize.fragment('<a href="http://domain.test/tags/foo" rel="tag">Test</a>', subject.merge(outgoing: true))).to eq '<a href="http://domain.test/tags/foo" rel="tag" target="_blank">Test</a>'
+      expect(Sanitize.fragment('<a href="http://domain.test/tags/foo" rel="tag">Test</a>', subject)).to eq '<a href="http://domain.test/tags/foo" rel="tag" target="_blank">Test</a>'
     end
   end
 end