From 02f1c04fabab221130de8dfb5611be81825b193b Mon Sep 17 00:00:00 2001 From: Thibaut Girka Date: Sun, 22 Mar 2020 17:56:49 +0100 Subject: [PATCH] =?UTF-8?q?Make=20sanitizer=20*not*=20add=20no-referrer=20?= =?UTF-8?q?etc.=20in=20local=20markdown=20toots=20if=20the=20link=20is=20?= =?UTF-8?q?=E2=80=9Csafe=E2=80=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/lib/formatter.rb | 6 +++--- app/lib/sanitize_config.rb | 7 +++++-- spec/lib/sanitize_config_spec.rb | 13 ++++++++++++- 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb index b7a0286d2..051f27408 100644 --- a/app/lib/formatter.rb +++ b/app/lib/formatter.rb @@ -59,7 +59,7 @@ class Formatter html = "RT @#{prepend_reblog} #{html}" if prepend_reblog html = format_markdown(html) if status.content_type == 'text/markdown' html = encode_and_link_urls(html, linkable_accounts, keep_html: %w(text/markdown text/html).include?(status.content_type)) - html = reformat(html) if %w(text/markdown text/html).include?(status.content_type) + html = reformat(html, true) if %w(text/markdown text/html).include?(status.content_type) html = encode_custom_emojis(html, status.emojis, options[:autoplay]) if options[:custom_emojify] unless %w(text/markdown text/html).include?(status.content_type) @@ -75,8 +75,8 @@ class Formatter html.delete("\r").delete("\n") end - def reformat(html) - sanitize(html, Sanitize::Config::MASTODON_STRICT) + def reformat(html, outgoing = false) + sanitize(html, Sanitize::Config::MASTODON_STRICT.merge(outgoing: outgoing)) rescue ArgumentError '' end diff --git a/app/lib/sanitize_config.rb b/app/lib/sanitize_config.rb index 8bbcca4ce..34793ed93 100644 --- a/app/lib/sanitize_config.rb +++ b/app/lib/sanitize_config.rb @@ -60,7 +60,10 @@ class Sanitize node = env[:node] rel = (node['rel'] || '').split(' ') & ['tag'] - node['rel'] = (['nofollow', 'noopener', 'noreferrer'] + rel).join(' ') + unless env[:config][:outgoing] && TagManager.instance.local_url?(node['href']) + rel += ['nofollow', 'noopener', 'noreferrer'] + end + node['rel'] = rel.join(' ') end UNSUPPORTED_HREF_TRANSFORMER = lambda do |env| @@ -103,8 +106,8 @@ class Sanitize transformers: [ CLASS_WHITELIST_TRANSFORMER, IMG_TAG_TRANSFORMER, - LINK_REL_TRANSFORMER, UNSUPPORTED_HREF_TRANSFORMER, + LINK_REL_TRANSFORMER, ] ) diff --git a/spec/lib/sanitize_config_spec.rb b/spec/lib/sanitize_config_spec.rb index 2d82c00ea..7370c536b 100644 --- a/spec/lib/sanitize_config_spec.rb +++ b/spec/lib/sanitize_config_spec.rb @@ -7,6 +7,12 @@ describe Sanitize::Config do describe '::MASTODON_STRICT' do subject { Sanitize::Config::MASTODON_STRICT } + around do |example| + original_web_domain = Rails.configuration.x.web_domain + example.run + Rails.configuration.x.web_domain = original_web_domain + end + it 'keeps h1' do expect(Sanitize.fragment('

Foo

', subject)).to eq '

Foo

' end @@ -32,7 +38,12 @@ describe Sanitize::Config do end it 'keeps a with href and rel tag' do - expect(Sanitize.fragment('', subject)).to eq 'Test' + expect(Sanitize.fragment('', subject)).to eq 'Test' + end + + it 'keeps a with href and rel tag, not adding to rel if url is local' do + Rails.configuration.x.web_domain = 'domain.test' + expect(Sanitize.fragment('', subject.merge(outgoing: true))).to eq '' end end end