forked from AkkomaGang/akkoma
SafeText: Let through basic html.
This commit is contained in:
parent
32431ad1ee
commit
2c9465cc51
3 changed files with 22 additions and 1 deletions
|
@ -10,7 +10,7 @@ defmodule Pleroma.Web.ActivityPub.ObjectValidators.Types.SafeText do
|
||||||
def type, do: :string
|
def type, do: :string
|
||||||
|
|
||||||
def cast(str) when is_binary(str) do
|
def cast(str) when is_binary(str) do
|
||||||
{:ok, HTML.strip_tags(str)}
|
{:ok, HTML.filter_tags(str)}
|
||||||
end
|
end
|
||||||
|
|
||||||
def cast(_), do: :error
|
def cast(_), do: :error
|
||||||
|
|
|
@ -113,6 +113,20 @@ test "it is invalid if the object data has a different `to` or `actor` field" do
|
||||||
%{user: user, recipient: recipient, valid_chat_message: valid_chat_message}
|
%{user: user, recipient: recipient, valid_chat_message: valid_chat_message}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "let's through some basic html", %{user: user, recipient: recipient} do
|
||||||
|
{:ok, valid_chat_message, _} =
|
||||||
|
Builder.chat_message(
|
||||||
|
user,
|
||||||
|
recipient.ap_id,
|
||||||
|
"hey <a href='https://example.org'>example</a> <script>alert('uguu')</script>"
|
||||||
|
)
|
||||||
|
|
||||||
|
assert {:ok, object, _meta} = ObjectValidator.validate(valid_chat_message, [])
|
||||||
|
|
||||||
|
assert object["content"] ==
|
||||||
|
"hey <a href=\"https://example.org\">example</a> alert('uguu')"
|
||||||
|
end
|
||||||
|
|
||||||
test "validates for a basic object we build", %{valid_chat_message: valid_chat_message} do
|
test "validates for a basic object we build", %{valid_chat_message: valid_chat_message} do
|
||||||
assert {:ok, object, _meta} = ObjectValidator.validate(valid_chat_message, [])
|
assert {:ok, object, _meta} = ObjectValidator.validate(valid_chat_message, [])
|
||||||
|
|
||||||
|
|
|
@ -17,6 +17,13 @@ test "it removes html tags from text" do
|
||||||
assert {:ok, "hey look xss alert('foo')"} == SafeText.cast(text)
|
assert {:ok, "hey look xss alert('foo')"} == SafeText.cast(text)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "it keeps basic html tags" do
|
||||||
|
text = "hey <a href='http://gensokyo.2hu'>look</a> xss <script>alert('foo')</script>"
|
||||||
|
|
||||||
|
assert {:ok, "hey <a href=\"http://gensokyo.2hu\">look</a> xss alert('foo')"} ==
|
||||||
|
SafeText.cast(text)
|
||||||
|
end
|
||||||
|
|
||||||
test "errors for non-text" do
|
test "errors for non-text" do
|
||||||
assert :error == SafeText.cast(1)
|
assert :error == SafeText.cast(1)
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue