ChatMessagesHandling: Strip HTML of incoming messages.
This commit is contained in:
parent
41fdcb7282
commit
e983f70884
|
@ -19,6 +19,9 @@ def handle_incoming(
|
||||||
{_, {:ok, object_cast_data_sym}} <-
|
{_, {:ok, object_cast_data_sym}} <-
|
||||||
{:casting_object_data, object_data |> ChatMessageValidator.cast_and_apply()},
|
{:casting_object_data, object_data |> ChatMessageValidator.cast_and_apply()},
|
||||||
object_cast_data = ObjectValidator.stringify_keys(object_cast_data_sym),
|
object_cast_data = ObjectValidator.stringify_keys(object_cast_data_sym),
|
||||||
|
# For now, just strip HTML
|
||||||
|
stripped_content = Pleroma.HTML.strip_tags(object_cast_data["content"]),
|
||||||
|
object_cast_data = object_cast_data |> Map.put("content", stripped_content),
|
||||||
{_, {:ok, validated_object, _meta}} <-
|
{_, {:ok, validated_object, _meta}} <-
|
||||||
{:validate_object, ObjectValidator.validate(object_cast_data, %{})},
|
{:validate_object, ObjectValidator.validate(object_cast_data, %{})},
|
||||||
{_, {:ok, _created_object}} <- {:persist_object, Object.create(validated_object)},
|
{_, {:ok, _created_object}} <- {:persist_object, Object.create(validated_object)},
|
||||||
|
|
|
@ -56,7 +56,9 @@ test "it inserts it and creates a chat" do
|
||||||
assert activity.recipients == [recipient.ap_id, author.ap_id]
|
assert activity.recipients == [recipient.ap_id, author.ap_id]
|
||||||
|
|
||||||
%Object{} = object = Object.get_by_ap_id(activity.data["object"])
|
%Object{} = object = Object.get_by_ap_id(activity.data["object"])
|
||||||
|
|
||||||
assert object
|
assert object
|
||||||
|
assert object.data["content"] == "You expected a cute girl? Too bad. alert('XSS')"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue