From 94d0e012dea89058b9c059636fb6d42f6565e534 Mon Sep 17 00:00:00 2001
From: nightpool <eg1290@gmail.com>
Date: Sat, 17 Jun 2017 14:26:05 -0400
Subject: Whitelist allowed classes for federated statuses (#3810)

* Whitelist allowed classes for federated statuses

Allowed classes are currently:

 - Any microformats class (h/p/u/dt/e-*)
 - the classes mention, hashtag, ellipses and invisible.

this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text.

resolved #3790

* Fix code style
---
 spec/lib/formatter_spec.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'spec/lib/formatter_spec.rb')

diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb
index cc32f7fd6..dfe1d8b8f 100644
--- a/spec/lib/formatter_spec.rb
+++ b/spec/lib/formatter_spec.rb
@@ -204,6 +204,14 @@ RSpec.describe Formatter do
         is_expected.to_not include '<script>alert("Hello")</script>'
       end
     end
+
+    context 'contains malicious classes' do
+      let(:text) { '<span class="status__content__spoiler-link">Show more</span>' }
+
+      it 'strips malicious classes' do
+        is_expected.to_not include 'status__content__spoiler-link'
+      end
+    end
   end
 
   describe '#plaintext' do
-- 
cgit