Merge branch 'sanitize-bio' into 'develop'

mastodon api: sanitize the bio HTML See merge request pleroma/pleroma!282
2018-08-21 16:56:24 +00:00 · 2018-08-21 16:56:24 +00:00 · a6d4cc8917
parent 5a8bb3cb3b 2b5db840ee
commit a6d4cc8917
2 changed files with 3 additions and 2 deletions
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@ -36,7 +36,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
      followers_count: user_info.follower_count,
      following_count: user_info.following_count,
      statuses_count: user_info.note_count,
-      note: user.bio || "",
+      note: HtmlSanitizeEx.basic_html(user.bio) || "",
      url: user.ap_id,
      avatar: image,
      avatar_static: image,
--- a/test/web/mastodon_api/account_view_test.exs
+++ b/test/web/mastodon_api/account_view_test.exs
@ -20,6 +20,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
        info: %{"note_count" => 5, "follower_count" => 3, "source_data" => source_data},
        nickname: "shp@shitposter.club",
        name: ":karjalanpiirakka: shp",
+        bio: "<script src=\"invalid-html\"></script><span>valid html</span>",
        inserted_at: ~N[2017-08-15 15:47:06.597036]
      })

@ -33,7 +34,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
      followers_count: 3,
      following_count: 0,
      statuses_count: 5,
-      note: user.bio,
+      note: "<span>valid html</span>",
      url: user.ap_id,
      avatar: "http://localhost:4001/images/avi.png",
      avatar_static: "http://localhost:4001/images/avi.png",