Whitelist allowed classes for federated statuses (#3810)

* Whitelist allowed classes for federated statuses

Allowed classes are currently:

 - Any microformats class (h/p/u/dt/e-*)
 - the classes mention, hashtag, ellipses and invisible.

this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text.

resolved #3790

* Fix code style
master
nightpool 8 years ago committed by Eugen Rochko
parent 8fd931dc12
commit 94d0e012de
  1. 21
      app/lib/sanitize_config.rb
  2. 8
      spec/lib/formatter_spec.rb

@ -4,6 +4,21 @@ class Sanitize
module Config module Config
HTTP_PROTOCOLS ||= ['http', 'https', :relative].freeze HTTP_PROTOCOLS ||= ['http', 'https', :relative].freeze
CLASS_WHITELIST_TRANSFORMER = lambda do |env|
node = env[:node]
class_list = node['class']&.split(' ')
return unless class_list
class_list.keep_if do |e|
return true if e =~ /^(h|p|u|dt|e)-/ # microformats classes
return true if e =~ /^(mention|hashtag)$/ # semantic classes
return true if e =~ /^(ellipsis|invisible)$/ # link formatting classes
end
node['class'] = class_list.join(' ')
end
MASTODON_STRICT ||= freeze_config( MASTODON_STRICT ||= freeze_config(
elements: %w(p br span a), elements: %w(p br span a),
@ -21,7 +36,11 @@ class Sanitize
protocols: { protocols: {
'a' => { 'href' => HTTP_PROTOCOLS }, 'a' => { 'href' => HTTP_PROTOCOLS },
} },
transformers: [
CLASS_WHITELIST_TRANSFORMER,
]
) )
MASTODON_OEMBED ||= freeze_config merge( MASTODON_OEMBED ||= freeze_config merge(

@ -204,6 +204,14 @@ RSpec.describe Formatter do
is_expected.to_not include '<script>alert("Hello")</script>' is_expected.to_not include '<script>alert("Hello")</script>'
end end
end end
context 'contains malicious classes' do
let(:text) { '<span class="status__content__spoiler-link">Show more</span>' }
it 'strips malicious classes' do
is_expected.to_not include 'status__content__spoiler-link'
end
end
end end
describe '#plaintext' do describe '#plaintext' do

Loading…
Cancel
Save