Allow 'rel' attribute on <a>
link with specific values (for hashtag recognition).
This commit is contained in:
parent
6d6f48d079
commit
4ed2618f6c
4 changed files with 24 additions and 2 deletions
|
@ -95,6 +95,13 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
|
||||||
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
|
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
|
||||||
Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
|
Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
|
||||||
|
|
||||||
|
Meta.allow_tag_with_this_attribute_values("a", "rel", [
|
||||||
|
"tag",
|
||||||
|
"nofollow",
|
||||||
|
"noopener",
|
||||||
|
"noreferrer"
|
||||||
|
])
|
||||||
|
|
||||||
# paragraphs and linebreaks
|
# paragraphs and linebreaks
|
||||||
Meta.allow_tag_with_these_attributes("br", [])
|
Meta.allow_tag_with_these_attributes("br", [])
|
||||||
Meta.allow_tag_with_these_attributes("p", [])
|
Meta.allow_tag_with_these_attributes("p", [])
|
||||||
|
@ -137,6 +144,13 @@ defmodule Pleroma.HTML.Scrubber.Default do
|
||||||
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
|
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
|
||||||
Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
|
Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
|
||||||
|
|
||||||
|
Meta.allow_tag_with_this_attribute_values("a", "rel", [
|
||||||
|
"tag",
|
||||||
|
"nofollow",
|
||||||
|
"noopener",
|
||||||
|
"noreferrer"
|
||||||
|
])
|
||||||
|
|
||||||
Meta.allow_tag_with_these_attributes("abbr", ["title"])
|
Meta.allow_tag_with_these_attributes("abbr", ["title"])
|
||||||
|
|
||||||
Meta.allow_tag_with_these_attributes("b", [])
|
Meta.allow_tag_with_these_attributes("b", [])
|
||||||
|
|
|
@ -10,6 +10,8 @@ defmodule Pleroma.HTMLTest do
|
||||||
<b>this is in bold</b>
|
<b>this is in bold</b>
|
||||||
<p>this is a paragraph</p>
|
<p>this is a paragraph</p>
|
||||||
this is a linebreak<br />
|
this is a linebreak<br />
|
||||||
|
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
||||||
|
this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
|
||||||
this is an image: <img src="http://example.com/image.jpg"><br />
|
this is an image: <img src="http://example.com/image.jpg"><br />
|
||||||
<script>alert('hacked')</script>
|
<script>alert('hacked')</script>
|
||||||
"""
|
"""
|
||||||
|
@ -24,6 +26,8 @@ test "works as expected" do
|
||||||
this is in bold
|
this is in bold
|
||||||
this is a paragraph
|
this is a paragraph
|
||||||
this is a linebreak
|
this is a linebreak
|
||||||
|
this is a link with allowed "rel" attribute: example.com
|
||||||
|
this is a link with not allowed "rel" attribute: example.com
|
||||||
this is an image:
|
this is an image:
|
||||||
alert('hacked')
|
alert('hacked')
|
||||||
"""
|
"""
|
||||||
|
@ -44,6 +48,8 @@ test "normalizes HTML as expected" do
|
||||||
this is in bold
|
this is in bold
|
||||||
<p>this is a paragraph</p>
|
<p>this is a paragraph</p>
|
||||||
this is a linebreak<br />
|
this is a linebreak<br />
|
||||||
|
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
||||||
|
this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
|
||||||
this is an image: <img src="http://example.com/image.jpg" /><br />
|
this is an image: <img src="http://example.com/image.jpg" /><br />
|
||||||
alert('hacked')
|
alert('hacked')
|
||||||
"""
|
"""
|
||||||
|
@ -66,6 +72,8 @@ test "normalizes HTML as expected" do
|
||||||
<b>this is in bold</b>
|
<b>this is in bold</b>
|
||||||
<p>this is a paragraph</p>
|
<p>this is a paragraph</p>
|
||||||
this is a linebreak<br />
|
this is a linebreak<br />
|
||||||
|
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
|
||||||
|
this is a link with not allowed "rel" attribute: <a href="http://example.com/">example.com</a>
|
||||||
this is an image: <img src="http://example.com/image.jpg" /><br />
|
this is an image: <img src="http://example.com/image.jpg" /><br />
|
||||||
alert('hacked')
|
alert('hacked')
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -1632,7 +1632,7 @@ test "updates the user's bio", %{conn: conn} do
|
||||||
assert user = json_response(conn, 200)
|
assert user = json_response(conn, 200)
|
||||||
|
|
||||||
assert user["note"] ==
|
assert user["note"] ==
|
||||||
~s(I drink <a class="hashtag" data-tag="cofe" href="http://localhost:4001/tag/cofe">#cofe</a> with <span class="h-card"><a data-user=") <>
|
~s(I drink <a class="hashtag" data-tag="cofe" href="http://localhost:4001/tag/cofe" rel="tag">#cofe</a> with <span class="h-card"><a data-user=") <>
|
||||||
user2.id <>
|
user2.id <>
|
||||||
~s(" class="u-url mention" href=") <>
|
~s(" class="u-url mention" href=") <>
|
||||||
user2.ap_id <> ~s(">@<span>) <> user2.nickname <> ~s(</span></a></span>)
|
user2.ap_id <> ~s(">@<span>) <> user2.nickname <> ~s(</span></a></span>)
|
||||||
|
|
|
@ -82,7 +82,7 @@ test "a create activity with a html status" do
|
||||||
result = ActivityView.render("activity.json", activity: activity)
|
result = ActivityView.render("activity.json", activity: activity)
|
||||||
|
|
||||||
assert result["statusnet_html"] ==
|
assert result["statusnet_html"] ==
|
||||||
"<a class=\"hashtag\" data-tag=\"bike\" href=\"http://localhost:4001/tag/bike\">#Bike</a> log - Commute Tuesday<br /><a href=\"https://pla.bike/posts/20181211/\">https://pla.bike/posts/20181211/</a><br /><a class=\"hashtag\" data-tag=\"cycling\" href=\"http://localhost:4001/tag/cycling\">#cycling</a> <a class=\"hashtag\" data-tag=\"chscycling\" href=\"http://localhost:4001/tag/chscycling\">#CHScycling</a> <a class=\"hashtag\" data-tag=\"commute\" href=\"http://localhost:4001/tag/commute\">#commute</a><br />MVIMG_20181211_054020.jpg"
|
"<a class=\"hashtag\" data-tag=\"bike\" href=\"http://localhost:4001/tag/bike\" rel=\"tag\">#Bike</a> log - Commute Tuesday<br /><a href=\"https://pla.bike/posts/20181211/\">https://pla.bike/posts/20181211/</a><br /><a class=\"hashtag\" data-tag=\"cycling\" href=\"http://localhost:4001/tag/cycling\" rel=\"tag\">#cycling</a> <a class=\"hashtag\" data-tag=\"chscycling\" href=\"http://localhost:4001/tag/chscycling\" rel=\"tag\">#CHScycling</a> <a class=\"hashtag\" data-tag=\"commute\" href=\"http://localhost:4001/tag/commute\" rel=\"tag\">#commute</a><br />MVIMG_20181211_054020.jpg"
|
||||||
|
|
||||||
assert result["text"] ==
|
assert result["text"] ==
|
||||||
"#Bike log - Commute Tuesday\nhttps://pla.bike/posts/20181211/\n#cycling #CHScycling #commute\nMVIMG_20181211_054020.jpg"
|
"#Bike log - Commute Tuesday\nhttps://pla.bike/posts/20181211/\n#cycling #CHScycling #commute\nMVIMG_20181211_054020.jpg"
|
||||||
|
|
Loading…
Reference in a new issue