Escape HTML instead of discarding it.

This commit is contained in:
eal 2017-11-18 14:43:41 +02:00
parent 4647bcd6e6
commit 66e78c3ec4
2 changed files with 3 additions and 2 deletions

View file

@ -58,7 +58,8 @@ def add_attachments(text, attachments) do
end end
def format_input(text, mentions, tags) do def format_input(text, mentions, tags) do
HtmlSanitizeEx.strip_tags(text) Phoenix.HTML.html_escape(text)
|> elem(1)
|> Formatter.linkify |> Formatter.linkify
|> String.replace("\n", "<br>\n") |> String.replace("\n", "<br>\n")
|> add_user_links(mentions) |> add_user_links(mentions)

View file

@ -34,7 +34,7 @@ test "create a status" do
{ :ok, activity = %Activity{} } = TwitterAPI.create_status(user, input) { :ok, activity = %Activity{} } = TwitterAPI.create_status(user, input)
assert get_in(activity.data, ["object", "content"]) == "Hello again, <a href='shp'>@shp</a>.<br>\nThis is on another line. #2hu #epic #phantasmagoric<br>\n<a href=\"http://example.org/image.jpg\" class='attachment'>image.jpg</a>" assert get_in(activity.data, ["object", "content"]) == "Hello again, <a href='shp'>@shp</a>.&lt;script&gt;&lt;/script&gt;<br>\nThis is on another line. #2hu #epic #phantasmagoric<br>\n<a href=\"http://example.org/image.jpg\" class='attachment'>image.jpg</a>"
assert get_in(activity.data, ["object", "type"]) == "Note" assert get_in(activity.data, ["object", "type"]) == "Note"
assert get_in(activity.data, ["object", "actor"]) == user.ap_id assert get_in(activity.data, ["object", "actor"]) == user.ap_id
assert get_in(activity.data, ["actor"]) == user.ap_id assert get_in(activity.data, ["actor"]) == user.ap_id