From e983f708846a5784e23b7e18734a61ed7f6e3636 Mon Sep 17 00:00:00 2001 From: lain Date: Thu, 16 Apr 2020 17:50:24 +0200 Subject: [PATCH] ChatMessagesHandling: Strip HTML of incoming messages. --- .../web/activity_pub/transmogrifier/chat_message_handling.ex | 3 +++ test/web/activity_pub/transmogrifier/chat_message_test.exs | 2 ++ 2 files changed, 5 insertions(+) diff --git a/lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex b/lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex index 815b866c9..11bd10456 100644 --- a/lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex +++ b/lib/pleroma/web/activity_pub/transmogrifier/chat_message_handling.ex @@ -19,6 +19,9 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier.ChatMessageHandling do {_, {:ok, object_cast_data_sym}} <- {:casting_object_data, object_data |> ChatMessageValidator.cast_and_apply()}, object_cast_data = ObjectValidator.stringify_keys(object_cast_data_sym), + # For now, just strip HTML + stripped_content = Pleroma.HTML.strip_tags(object_cast_data["content"]), + object_cast_data = object_cast_data |> Map.put("content", stripped_content), {_, {:ok, validated_object, _meta}} <- {:validate_object, ObjectValidator.validate(object_cast_data, %{})}, {_, {:ok, _created_object}} <- {:persist_object, Object.create(validated_object)}, diff --git a/test/web/activity_pub/transmogrifier/chat_message_test.exs b/test/web/activity_pub/transmogrifier/chat_message_test.exs index 5b238f9c4..7e7f9ebec 100644 --- a/test/web/activity_pub/transmogrifier/chat_message_test.exs +++ b/test/web/activity_pub/transmogrifier/chat_message_test.exs @@ -56,7 +56,9 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier.ChatMessageTest do assert activity.recipients == [recipient.ap_id, author.ap_id] %Object{} = object = Object.get_by_ap_id(activity.data["object"]) + assert object + assert object.data["content"] == "You expected a cute girl? Too bad. alert('XSS')" end end end