logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://hacktivis.me/git/pleroma.git
commit: 8f3e750530874df2a92d131e256e94dcc77260f1
parent 7f0b3161eab7d3a3de7103d83ba62ee05ec1c28f
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Sun, 27 Nov 2022 03:40:21 +0100

scrubbers: Scrub img class attribute

Closes: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3790


Diffstat:


Mpriv/scrubbers/default.ex3++-


Mpriv/scrubbers/twitter_text.ex3++-


Mtest/pleroma/html_test.exs26++++++++++++++++++++++++++


3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/priv/scrubbers/default.ex b/priv/scrubbers/default.ex
@@ -68,13 +68,14 @@ defmodule Pleroma.HTML.Scrubber.Default do
   @allow_inline_images Pleroma.Config.get([:markup, :allow_inline_images])
 
   if @allow_inline_images do
+    Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"])
+
     # restrict img tags to http/https only, because of MediaProxy.
     Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
 
     Meta.allow_tag_with_these_attributes(:img, [
       "width",
       "height",
-      "class",
       "title",
       "alt"
     ])
diff --git a/priv/scrubbers/twitter_text.ex b/priv/scrubbers/twitter_text.ex
@@ -45,13 +45,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
 
   # allow inline images for custom emoji
   if Pleroma.Config.get([:markup, :allow_inline_images]) do
+    Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"])
+
     # restrict img tags to http/https only, because of MediaProxy.
     Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
 
     Meta.allow_tag_with_these_attributes(:img, [
       "width",
       "height",
-      "class",
       "title",
       "alt"
     ])
diff --git a/test/pleroma/html_test.exs b/test/pleroma/html_test.exs
@@ -17,6 +17,7 @@ defmodule Pleroma.HTMLTest do
     this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
     this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
     this is an image: <img src="http://example.com/image.jpg"><br />
+    this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"><br />
     <script>alert('hacked')</script>
   """
 
@@ -24,6 +25,10 @@ defmodule Pleroma.HTMLTest do
   <img src="http://example.com/image.jpg" onerror="alert('hacked')">
   """
 
+  @html_stillimage_sample """
+  <img class="still-image" src="http://example.com/image.jpg">
+  """
+
   @html_span_class_sample """
   <span class="animate-spin">hi</span>
   """
@@ -45,6 +50,7 @@ defmodule Pleroma.HTMLTest do
         this is a link with allowed &quot;rel&quot; attribute: example.com
         this is a link with not allowed &quot;rel&quot; attribute: example.com
         this is an image: 
+        this is an inline emoji: 
         alert(&#39;hacked&#39;)
       """
 
@@ -67,6 +73,7 @@ defmodule Pleroma.HTMLTest do
         this is a link with allowed &quot;rel&quot; attribute: <a href="http://example.com/" rel="tag">example.com</a>
         this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a>
         this is an image: <img src="http://example.com/image.jpg"/><br/>
+        this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/>
         alert(&#39;hacked&#39;)
       """
 
@@ -90,6 +97,15 @@ defmodule Pleroma.HTMLTest do
                HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
     end
 
+    test "does not allow images with invalid classes" do
+      expected = """
+      <img src="http://example.com/image.jpg"/>
+      """
+
+      assert expected ==
+               HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
+    end
+
     test "does allow microformats" do
       expected = """
       <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
@@ -121,6 +137,7 @@ defmodule Pleroma.HTMLTest do
         this is a link with allowed &quot;rel&quot; attribute: <a href="http://example.com/" rel="tag">example.com</a>
         this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a>
         this is an image: <img src="http://example.com/image.jpg"/><br/>
+        this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/>
         alert(&#39;hacked&#39;)
       """
 
@@ -143,6 +160,15 @@ defmodule Pleroma.HTMLTest do
       assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
     end
 
+    test "does not allow images with invalid classes" do
+      expected = """
+      <img src="http://example.com/image.jpg"/>
+      """
+
+      assert expected ==
+               HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
+    end
+
     test "does allow microformats" do
       expected = """
       <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>