commit: 83c657afa557ac3cdfd2e3888511b403857de8aa
parent: 1af9c777365f3b54edcb572cea4e2e6f185b3099
Author: Roger Braun <roger@rogerbraun.net>
Date: Wed, 14 Jun 2017 14:46:18 +0200
Do some basic escaping.
Diffstat:
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/lib/pleroma/web/twitter_api/utils.ex b/lib/pleroma/web/twitter_api/utils.ex
@@ -11,7 +11,7 @@ defmodule Pleroma.Web.TwitterAPI.Utils do
def add_attachments(text, attachments) do
attachment_text = Enum.map(attachments, fn
(%{"url" => [%{"href" => href} | _]}) ->
- "<a href='#{href}' class='attachment'>#{Path.basename(href)}</a>"
+ "<a href=\"#{URI.encode(href)}\" class='attachment'>#{Path.basename(href)}</a>"
_ -> ""
end)
Enum.join([text | attachment_text], "<br>\n")
diff --git a/test/web/twitter_api/twitter_api_test.exs b/test/web/twitter_api/twitter_api_test.exs
@@ -34,7 +34,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
{ :ok, activity = %Activity{} } = TwitterAPI.create_status(user, input)
- assert get_in(activity.data, ["object", "content"]) == "Hello again, <a href='shp'>@shp</a>.<br>\nThis is on another line. #2hu #epic #phantasmagoric<br>\n<a href='http://example.org/image.jpg' class='attachment'>image.jpg</a>"
+ assert get_in(activity.data, ["object", "content"]) == "Hello again, <a href='shp'>@shp</a>.<br>\nThis is on another line. #2hu #epic #phantasmagoric<br>\n<a href=\"http://example.org/image.jpg\" class='attachment'>image.jpg</a>"
assert get_in(activity.data, ["object", "type"]) == "Note"
assert get_in(activity.data, ["object", "actor"]) == user.ap_id
assert get_in(activity.data, ["actor"]) == user.ap_id
diff --git a/test/web/twitter_api/twitter_api_utils_test.exs b/test/web/twitter_api/twitter_api_utils_test.exs
@@ -0,0 +1,14 @@
+defmodule Pleroma.Web.TwitterAPI.UtilsTest do
+ alias Pleroma.Web.TwitterAPI.Utils
+ use Pleroma.DataCase
+
+ test "it adds attachment links to a given text and attachment set" do
+ attachment = %{
+ "url" => [%{"href" => "http://heise.de/i\"m a boy.png"}]
+ }
+
+ res = Utils.add_attachments("", [attachment])
+
+ assert res == "<br>\n<a href=\"http://heise.de/i%22m%20a%20boy.png\" class='attachment'>i\"m a boy.png</a>"
+ end
+end
