Strip unsafe html on output in TwAPI.

This commit is contained in:
Roger Braun 2017-06-18 13:40:35 +02:00
parent a9bfbcae80
commit 8feec8d390
2 changed files with 3 additions and 3 deletions

View file

@ -105,7 +105,7 @@ def to_map(%Activity{data: %{"object" => %{"content" => content} = object}} = ac
"id" => activity.id, "id" => activity.id,
"user" => UserRepresenter.to_map(user, opts), "user" => UserRepresenter.to_map(user, opts),
"attentions" => [], "attentions" => [],
"statusnet_html" => content, "statusnet_html" => HtmlSanitizeEx.basic_html(content),
"text" => HtmlSanitizeEx.strip_tags(content), "text" => HtmlSanitizeEx.strip_tags(content),
"is_local" => true, "is_local" => true,
"is_post_verb" => true, "is_post_verb" => true,

View file

@ -67,7 +67,7 @@ test "an activity" do
} }
} }
content_html = "Some #content #mentioning <a href='#{mentioned_user.ap_id}'>@shp</shp>" content_html = "<script>alert('YAY')</script>Some #content #mentioning <a href='#{mentioned_user.ap_id}'>@shp</a>"
content = HtmlSanitizeEx.strip_tags(content_html) content = HtmlSanitizeEx.strip_tags(content_html)
date = DateTime.from_naive!(~N[2016-05-24 13:26:08.003], "Etc/UTC") |> DateTime.to_iso8601 date = DateTime.from_naive!(~N[2016-05-24 13:26:08.003], "Etc/UTC") |> DateTime.to_iso8601
@ -108,7 +108,7 @@ test "an activity" do
"user" => UserRepresenter.to_map(user, %{for: follower}), "user" => UserRepresenter.to_map(user, %{for: follower}),
"is_local" => true, "is_local" => true,
"attentions" => [], "attentions" => [],
"statusnet_html" => content_html <> "<br>\n#nsfw", "statusnet_html" => HtmlSanitizeEx.basic_html(content_html) <> "<br />\n#nsfw",
"text" => content <> "\n#nsfw", "text" => content <> "\n#nsfw",
"is_post_verb" => true, "is_post_verb" => true,
"created_at" => "Tue May 24 13:26:08 +0000 2016", "created_at" => "Tue May 24 13:26:08 +0000 2016",