diff --git a/lib/pleroma/html.ex b/lib/pleroma/html.ex
index 878fac28c..cf18f070c 100644
--- a/lib/pleroma/html.ex
+++ b/lib/pleroma/html.ex
@@ -69,6 +69,8 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
"alt"
])
end
+
+ Meta.strip_everything_not_covered()
end
defmodule Pleroma.HTML.Scrubber.Default do
diff --git a/test/html_test.exs b/test/html_test.exs
new file mode 100644
index 000000000..f7150759b
--- /dev/null
+++ b/test/html_test.exs
@@ -0,0 +1,80 @@
+defmodule Pleroma.HTMLTest do
+ alias Pleroma.HTML
+ use Pleroma.DataCase
+
+ @html_sample """
+ this is in bold
+
this is a paragraph
+ this is a linebreak
+ this is an image:
+
+ """
+
+ @html_onerror_sample """
+
+ """
+
+ describe "StripTags scrubber" do
+ test "works as expected" do
+ expected = """
+ this is in bold
+ this is a paragraph
+ this is a linebreak
+ this is an image:
+ alert('hacked')
+ """
+
+ assert expected == HTML.strip_tags(@html_sample)
+ end
+
+ test "does not allow attribute-based XSS" do
+ expected = "\n"
+
+ assert expected == HTML.strip_tags(@html_onerror_sample)
+ end
+ end
+
+ describe "TwitterText scrubber" do
+ test "normalizes HTML as expected" do
+ expected = """
+ this is in bold
+ this is a paragraph
+ this is a linebreak
+ this is an image:
+ alert('hacked')
+ """
+
+ assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText)
+ end
+
+ test "does not allow attribute-based XSS" do
+ expected = """
+
+ """
+
+ assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
+ end
+ end
+
+ describe "default scrubber" do
+ test "normalizes HTML as expected" do
+ expected = """
+ this is in bold
+ this is a paragraph
+ this is a linebreak
+ this is an image:
+ alert('hacked')
+ """
+
+ assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default)
+ end
+
+ test "does not allow attribute-based XSS" do
+ expected = """
+
+ """
+
+ assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
+ end
+ end
+end