Make sanitizer *not* add no-referrer etc. in local markdown toots if the link is “safe”
This commit is contained in:
parent
2c510ee00a
commit
02f1c04fab
3 changed files with 20 additions and 6 deletions
|
@ -59,7 +59,7 @@ class Formatter
|
||||||
html = "RT @#{prepend_reblog} #{html}" if prepend_reblog
|
html = "RT @#{prepend_reblog} #{html}" if prepend_reblog
|
||||||
html = format_markdown(html) if status.content_type == 'text/markdown'
|
html = format_markdown(html) if status.content_type == 'text/markdown'
|
||||||
html = encode_and_link_urls(html, linkable_accounts, keep_html: %w(text/markdown text/html).include?(status.content_type))
|
html = encode_and_link_urls(html, linkable_accounts, keep_html: %w(text/markdown text/html).include?(status.content_type))
|
||||||
html = reformat(html) if %w(text/markdown text/html).include?(status.content_type)
|
html = reformat(html, true) if %w(text/markdown text/html).include?(status.content_type)
|
||||||
html = encode_custom_emojis(html, status.emojis, options[:autoplay]) if options[:custom_emojify]
|
html = encode_custom_emojis(html, status.emojis, options[:autoplay]) if options[:custom_emojify]
|
||||||
|
|
||||||
unless %w(text/markdown text/html).include?(status.content_type)
|
unless %w(text/markdown text/html).include?(status.content_type)
|
||||||
|
@ -75,8 +75,8 @@ class Formatter
|
||||||
html.delete("\r").delete("\n")
|
html.delete("\r").delete("\n")
|
||||||
end
|
end
|
||||||
|
|
||||||
def reformat(html)
|
def reformat(html, outgoing = false)
|
||||||
sanitize(html, Sanitize::Config::MASTODON_STRICT)
|
sanitize(html, Sanitize::Config::MASTODON_STRICT.merge(outgoing: outgoing))
|
||||||
rescue ArgumentError
|
rescue ArgumentError
|
||||||
''
|
''
|
||||||
end
|
end
|
||||||
|
|
|
@ -60,7 +60,10 @@ class Sanitize
|
||||||
node = env[:node]
|
node = env[:node]
|
||||||
|
|
||||||
rel = (node['rel'] || '').split(' ') & ['tag']
|
rel = (node['rel'] || '').split(' ') & ['tag']
|
||||||
node['rel'] = (['nofollow', 'noopener', 'noreferrer'] + rel).join(' ')
|
unless env[:config][:outgoing] && TagManager.instance.local_url?(node['href'])
|
||||||
|
rel += ['nofollow', 'noopener', 'noreferrer']
|
||||||
|
end
|
||||||
|
node['rel'] = rel.join(' ')
|
||||||
end
|
end
|
||||||
|
|
||||||
UNSUPPORTED_HREF_TRANSFORMER = lambda do |env|
|
UNSUPPORTED_HREF_TRANSFORMER = lambda do |env|
|
||||||
|
@ -103,8 +106,8 @@ class Sanitize
|
||||||
transformers: [
|
transformers: [
|
||||||
CLASS_WHITELIST_TRANSFORMER,
|
CLASS_WHITELIST_TRANSFORMER,
|
||||||
IMG_TAG_TRANSFORMER,
|
IMG_TAG_TRANSFORMER,
|
||||||
LINK_REL_TRANSFORMER,
|
|
||||||
UNSUPPORTED_HREF_TRANSFORMER,
|
UNSUPPORTED_HREF_TRANSFORMER,
|
||||||
|
LINK_REL_TRANSFORMER,
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -7,6 +7,12 @@ describe Sanitize::Config do
|
||||||
describe '::MASTODON_STRICT' do
|
describe '::MASTODON_STRICT' do
|
||||||
subject { Sanitize::Config::MASTODON_STRICT }
|
subject { Sanitize::Config::MASTODON_STRICT }
|
||||||
|
|
||||||
|
around do |example|
|
||||||
|
original_web_domain = Rails.configuration.x.web_domain
|
||||||
|
example.run
|
||||||
|
Rails.configuration.x.web_domain = original_web_domain
|
||||||
|
end
|
||||||
|
|
||||||
it 'keeps h1' do
|
it 'keeps h1' do
|
||||||
expect(Sanitize.fragment('<h1>Foo</h1>', subject)).to eq '<h1>Foo</h1>'
|
expect(Sanitize.fragment('<h1>Foo</h1>', subject)).to eq '<h1>Foo</h1>'
|
||||||
end
|
end
|
||||||
|
@ -32,7 +38,12 @@ describe Sanitize::Config do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'keeps a with href and rel tag' do
|
it 'keeps a with href and rel tag' do
|
||||||
expect(Sanitize.fragment('<a href="http://example.com" rel="tag">Test</a>', subject)).to eq '<a href="http://example.com" rel="nofollow noopener noreferrer tag" target="_blank">Test</a>'
|
expect(Sanitize.fragment('<a href="http://example.com" rel="tag">Test</a>', subject)).to eq '<a href="http://example.com" rel="tag nofollow noopener noreferrer" target="_blank">Test</a>'
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'keeps a with href and rel tag, not adding to rel if url is local' do
|
||||||
|
Rails.configuration.x.web_domain = 'domain.test'
|
||||||
|
expect(Sanitize.fragment('<a href="http://domain.test/tags/foo" rel="tag">Test</a>', subject.merge(outgoing: true))).to eq '<a href="http://domain.test/tags/foo" rel="tag" target="_blank">Test</a>'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue