scrubbers: Scrub img class attribute

Closes: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3790
This commit is contained in:
Haelwenn (lanodan) Monnier 2022-11-27 03:40:21 +01:00
parent 59b8c920f6
commit 508b438b53
3 changed files with 30 additions and 2 deletions

View File

@ -64,13 +64,14 @@ defmodule Pleroma.HTML.Scrubber.Default do
@allow_inline_images Pleroma.Config.get([:markup, :allow_inline_images]) @allow_inline_images Pleroma.Config.get([:markup, :allow_inline_images])
if @allow_inline_images do if @allow_inline_images do
Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"])
# restrict img tags to http/https only, because of MediaProxy. # restrict img tags to http/https only, because of MediaProxy.
Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"]) Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
Meta.allow_tag_with_these_attributes(:img, [ Meta.allow_tag_with_these_attributes(:img, [
"width", "width",
"height", "height",
"class",
"title", "title",
"alt" "alt"
]) ])

View File

@ -41,13 +41,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
# allow inline images for custom emoji # allow inline images for custom emoji
if Pleroma.Config.get([:markup, :allow_inline_images]) do if Pleroma.Config.get([:markup, :allow_inline_images]) do
Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"])
# restrict img tags to http/https only, because of MediaProxy. # restrict img tags to http/https only, because of MediaProxy.
Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"]) Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
Meta.allow_tag_with_these_attributes(:img, [ Meta.allow_tag_with_these_attributes(:img, [
"width", "width",
"height", "height",
"class",
"title", "title",
"alt" "alt"
]) ])

View File

@ -17,6 +17,7 @@ defmodule Pleroma.HTMLTest do
this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a> this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a> this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
this is an image: <img src="http://example.com/image.jpg"><br /> this is an image: <img src="http://example.com/image.jpg"><br />
this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"><br />
<script>alert('hacked')</script> <script>alert('hacked')</script>
""" """
@ -24,6 +25,10 @@ defmodule Pleroma.HTMLTest do
<img src="http://example.com/image.jpg" onerror="alert('hacked')"> <img src="http://example.com/image.jpg" onerror="alert('hacked')">
""" """
@html_stillimage_sample """
<img class="still-image" src="http://example.com/image.jpg">
"""
@html_span_class_sample """ @html_span_class_sample """
<span class="animate-spin">hi</span> <span class="animate-spin">hi</span>
""" """
@ -45,6 +50,7 @@ test "works as expected" do
this is a link with allowed &quot;rel&quot; attribute: example.com this is a link with allowed &quot;rel&quot; attribute: example.com
this is a link with not allowed &quot;rel&quot; attribute: example.com this is a link with not allowed &quot;rel&quot; attribute: example.com
this is an image: this is an image:
this is an inline emoji:
alert(&#39;hacked&#39;) alert(&#39;hacked&#39;)
""" """
@ -67,6 +73,7 @@ test "normalizes HTML as expected" do
this is a link with allowed &quot;rel&quot; attribute: <a href="http://example.com/" rel="tag">example.com</a> this is a link with allowed &quot;rel&quot; attribute: <a href="http://example.com/" rel="tag">example.com</a>
this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a> this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a>
this is an image: <img src="http://example.com/image.jpg"/><br/> this is an image: <img src="http://example.com/image.jpg"/><br/>
this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/>
alert(&#39;hacked&#39;) alert(&#39;hacked&#39;)
""" """
@ -90,6 +97,15 @@ test "does not allow spans with invalid classes" do
HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText) HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
end end
test "does not allow images with invalid classes" do
expected = """
<img src="http://example.com/image.jpg"/>
"""
assert expected ==
HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
end
test "does allow microformats" do test "does allow microformats" do
expected = """ expected = """
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span> <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
@ -121,6 +137,7 @@ test "normalizes HTML as expected" do
this is a link with allowed &quot;rel&quot; attribute: <a href="http://example.com/" rel="tag">example.com</a> this is a link with allowed &quot;rel&quot; attribute: <a href="http://example.com/" rel="tag">example.com</a>
this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a> this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a>
this is an image: <img src="http://example.com/image.jpg"/><br/> this is an image: <img src="http://example.com/image.jpg"/><br/>
this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/>
alert(&#39;hacked&#39;) alert(&#39;hacked&#39;)
""" """
@ -143,6 +160,15 @@ test "does not allow spans with invalid classes" do
assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default) assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
end end
test "does not allow images with invalid classes" do
expected = """
<img src="http://example.com/image.jpg"/>
"""
assert expected ==
HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
end
test "does allow microformats" do test "does allow microformats" do
expected = """ expected = """
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span> <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>