commit: 94d0e012dea89058b9c059636fb6d42f6565e534
parent: 8fd931dc126d0f90417a6614bd21bb945543e4f4
Author: nightpool <eg1290@gmail.com>
Date: Sat, 17 Jun 2017 14:26:05 -0400
Whitelist allowed classes for federated statuses (#3810)
* Whitelist allowed classes for federated statuses
Allowed classes are currently:
- Any microformats class (h/p/u/dt/e-*)
- the classes mention, hashtag, ellipses and invisible.
this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text.
resolved #3790
* Fix code style
Diffstat:
2 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/app/lib/sanitize_config.rb b/app/lib/sanitize_config.rb
@@ -4,6 +4,21 @@ class Sanitize
module Config
HTTP_PROTOCOLS ||= ['http', 'https', :relative].freeze
+ CLASS_WHITELIST_TRANSFORMER = lambda do |env|
+ node = env[:node]
+ class_list = node['class']&.split(' ')
+
+ return unless class_list
+
+ class_list.keep_if do |e|
+ return true if e =~ /^(h|p|u|dt|e)-/ # microformats classes
+ return true if e =~ /^(mention|hashtag)$/ # semantic classes
+ return true if e =~ /^(ellipsis|invisible)$/ # link formatting classes
+ end
+
+ node['class'] = class_list.join(' ')
+ end
+
MASTODON_STRICT ||= freeze_config(
elements: %w(p br span a),
@@ -21,7 +36,11 @@ class Sanitize
protocols: {
'a' => { 'href' => HTTP_PROTOCOLS },
- }
+ },
+
+ transformers: [
+ CLASS_WHITELIST_TRANSFORMER,
+ ]
)
MASTODON_OEMBED ||= freeze_config merge(
diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb
@@ -204,6 +204,14 @@ RSpec.describe Formatter do
is_expected.to_not include '<script>alert("Hello")</script>'
end
end
+
+ context 'contains malicious classes' do
+ let(:text) { '<span class="status__content__spoiler-link">Show more</span>' }
+
+ it 'strips malicious classes' do
+ is_expected.to_not include 'status__content__spoiler-link'
+ end
+ end
end
describe '#plaintext' do
