1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
# frozen_string_literal: true
class Sanitize
module Config
HTTP_PROTOCOLS ||= ['http', 'https', 'dat', 'dweb', 'ipfs', 'ipns', 'ssb', 'gopher', :relative].freeze
CLASS_WHITELIST_TRANSFORMER = lambda do |env|
node = env[:node]
class_list = node['class']&.split(/[\t\n\f\r ]/)
return unless class_list
class_list.keep_if do |e|
next true if e =~ /^(h|p|u|dt|e)-/ # microformats classes
next true if e =~ /^(mention|hashtag)$/ # semantic classes
next true if e =~ /^(ellipsis|invisible)$/ # link formatting classes
next true if e =~ /^bbcode__([a-z1-6\-]+)$/ # bbcode
next true if e == 'signature'
end
node['class'] = class_list.join(' ')
end
ANCHOR_SANITIZER = lambda do |env|
return unless env[:node_name] == 'a'
node = env[:node]
return if node['href'].blank? || node.text.blank?
class_list = node['class']&.split(/[\t\n\f\r ]/)
return if class_list && (class_list.include?('mention') || class_list.include?('hashtag'))
# href matches link text verbatim?
href = node['href']
return if href == node.text.strip
# remove query string from link text
node.inner_html = node.inner_html.sub(/\?\S+=\S+/, '')
# href matches link text without query string?
text = node.text.strip
return if href == text
uri = Addressable::URI.parse(node['href'])
text.sub!(/ *(?:\u2026|\.\.\.)/, '')
# href starts with link text?
return if href.start_with?(text)
# shortened href starts with link text?
return if (uri.host + uri.path).start_with?(text)
# shorterned & normalized href starts with link text?
return if (uri.normalized_host + uri.normalized_path).start_with?(text)
# grab first domain from link text
text = text.downcase.gsub(' dot ', '.')
first_domain = text.scan(/[\w\-]+\.[\w\-]+(?:\.[\w\-]+)*/).first
# first domain in link text (if there is one) matches href domain?
if first_domain.nil? || uri.domain == first_domain
# link text customized by author
node.inner_html = "\u270d\ufe0f #{node.inner_html}"
return
end
# possibly misleading link text
node.inner_html = "\u26a0\ufe0f #{node.inner_html}"
rescue Addressable::URI::InvalidURIError, IDN::Idna::IdnaError
# strip malformed links
node = env[:node]
node['href'] = '#'
node.children.remove
node.inner_html = "\u274c #{node.inner_html}"
end
QUERY_STRING_SANITIZER = lambda do |env|
return unless %w(a blockquote embed iframe source).include?(env[:node_name])
node = env[:node]
['href', 'src', 'cite'].each do |attr|
next if node[attr].blank?
url = Addressable::URI.parse(node[attr])
next if url.query.blank?
params = CGI.parse(url.query)
params.delete_if do |key|
k = key.downcase
next true if k.start_with?(
'_hs',
'ic',
'mc_',
'mkt_',
'ns_',
'sr_',
'utm',
'vero_',
'nr_',
'ref',
)
next true if 'track'.in?(k)
next true if [
'fbclid',
'gclid',
'ncid',
'ocid',
'r',
'spm',
].include?(k)
false
end
url.query = URI.encode_www_form(params)
node[attr] = url
end
end
MASTODON_STRICT ||= freeze_config(
elements: %w(p br span a abbr del pre sub sup blockquote code b strong u i em h1 h2 h3 h4 h5 h6 ul ol li hr),
attributes: {
'a' => %w(href rel class title alt),
'span' => %w(class),
'abbr' => %w(title),
'blockquote' => %w(cite),
'p' => %w(class),
},
add_attributes: {
'a' => {
'rel' => 'nofollow noopener',
'target' => '_blank',
},
},
protocols: {
'a' => { 'href' => HTTP_PROTOCOLS },
'blockquote' => { 'cite' => HTTP_PROTOCOLS },
},
transformers: [
CLASS_WHITELIST_TRANSFORMER,
QUERY_STRING_SANITIZER,
ANCHOR_SANITIZER
]
)
MASTODON_OEMBED ||= freeze_config merge(
RELAXED,
elements: RELAXED[:elements] + %w(audio embed iframe source video),
attributes: merge(
RELAXED[:attributes],
'audio' => %w(controls),
'embed' => %w(height src type width),
'iframe' => %w(allowfullscreen frameborder height scrolling src width),
'source' => %w(src type),
'video' => %w(controls height loop width),
'div' => [:data]
),
protocols: merge(
RELAXED[:protocols],
'embed' => { 'src' => HTTP_PROTOCOLS },
'iframe' => { 'src' => HTTP_PROTOCOLS },
'source' => { 'src' => HTTP_PROTOCOLS }
),
transformers: [QUERY_STRING_SANITIZER]
)
end
end
|
