mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2025-12-14 20:03:01 -06:00
[bugfix] Use custom bluemonday policy to disallow inline img tags (#2100)
This commit is contained in:
tobi
GitHub
parent
3aedd937c3
commit
dc96562b40
17 changed files with 243 additions and 78 deletions
|
|
@ -20,6 +20,7 @@ package ap
|
|||
import (
|
||||
"github.com/superseriousbusiness/activity/pub"
|
||||
"github.com/superseriousbusiness/activity/streams"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/text"
|
||||
)
|
||||
|
||||
/*
|
||||
|
|
@ -126,7 +127,8 @@ func NormalizeIncomingActivityObject(activity pub.Activity, rawJSON map[string]i
|
|||
}
|
||||
|
||||
// NormalizeIncomingContent replaces the Content of the given item
|
||||
// with the raw 'content' value from the raw json object map.
|
||||
// with the sanitized version of the raw 'content' value from the
|
||||
// raw json object map.
|
||||
//
|
||||
// noop if there was no content in the json object map or the
|
||||
// content was not a plain string.
|
||||
|
|
@ -145,6 +147,14 @@ func NormalizeIncomingContent(item WithSetContent, rawJSON map[string]interface{
|
|||
return
|
||||
}
|
||||
|
||||
// Content should be HTML encoded by default:
|
||||
// https://www.w3.org/TR/activitystreams-vocabulary/#dfn-content
|
||||
//
|
||||
// TODO: sanitize differently based on mediaType.
|
||||
// https://www.w3.org/TR/activitystreams-vocabulary/#dfn-mediatype
|
||||
content = text.SanitizeToHTML(content)
|
||||
content = text.MinifyHTML(content)
|
||||
|
||||
// Set normalized content property from the raw string;
|
||||
// this replaces any existing content property on the item.
|
||||
contentProp := streams.NewActivityStreamsContentProperty()
|
||||
|
|
@ -154,7 +164,8 @@ func NormalizeIncomingContent(item WithSetContent, rawJSON map[string]interface{
|
|||
|
||||
// NormalizeIncomingAttachments normalizes all attachments (if any) of the given
|
||||
// item, replacing the 'name' (aka content warning) field of each attachment
|
||||
// with the raw 'name' value from the raw json object map.
|
||||
// with the raw 'name' value from the raw json object map, and doing sanitization
|
||||
// on the result.
|
||||
//
|
||||
// noop if there are no attachments; noop if attachment is not a format
|
||||
// we can understand.
|
||||
|
|
@ -212,7 +223,8 @@ func NormalizeIncomingAttachments(item WithAttachment, rawJSON map[string]interf
|
|||
}
|
||||
|
||||
// NormalizeIncomingSummary replaces the Summary of the given item
|
||||
// with the raw 'summary' value from the raw json object map.
|
||||
// with the sanitized version of the raw 'summary' value from the
|
||||
// raw json object map.
|
||||
//
|
||||
// noop if there was no summary in the json object map or the
|
||||
// summary was not a plain string.
|
||||
|
|
@ -229,6 +241,11 @@ func NormalizeIncomingSummary(item WithSetSummary, rawJSON map[string]interface{
|
|||
return
|
||||
}
|
||||
|
||||
// Summary should be HTML encoded:
|
||||
// https://www.w3.org/TR/activitystreams-vocabulary/#dfn-summary
|
||||
summary = text.SanitizeToHTML(summary)
|
||||
summary = text.MinifyHTML(summary)
|
||||
|
||||
// Set normalized summary property from the raw string; this
|
||||
// will replace any existing summary property on the item.
|
||||
summaryProp := streams.NewActivityStreamsSummaryProperty()
|
||||
|
|
@ -254,6 +271,13 @@ func NormalizeIncomingName(item WithSetName, rawJSON map[string]interface{}) {
|
|||
return
|
||||
}
|
||||
|
||||
// Name *must not* include any HTML markup:
|
||||
// https://www.w3.org/TR/activitystreams-vocabulary/#dfn-name
|
||||
//
|
||||
// todo: We probably want to update this to allow
|
||||
// *escaped* HTML markup, but for now just nuke it.
|
||||
name = text.SanitizeToPlaintext(name)
|
||||
|
||||
// Set normalized name property from the raw string; this
|
||||
// will replace any existing name property on the item.
|
||||
nameProp := streams.NewActivityStreamsNameProperty()
|
||||
|
|
|
|||
|
|
@ -146,7 +146,7 @@ func (suite *NormalizeTestSuite) getStatusableWithMultipleAttachments() (vocab.A
|
|||
"type": "Document",
|
||||
"mediaType": "image/jpeg",
|
||||
"url": "https://files.example.org/media_attachments/files/110/258/459/579/509/026/original/b65392ebe0fb04ef.jpeg",
|
||||
"name": "danger: #cute but will claw you :("
|
||||
"name": "image of a cat & there's a note saying: <danger: #cute but will claw you :(>"
|
||||
}
|
||||
]
|
||||
}`)
|
||||
|
|
@ -192,7 +192,7 @@ func (suite *NormalizeTestSuite) TestNormalizeActivityObject() {
|
|||
)
|
||||
|
||||
ap.NormalizeIncomingActivityObject(create, map[string]interface{}{"object": rawNote})
|
||||
suite.Equal(`UPDATE: As of this morning there are now more than 7 million Mastodon users, most from the <a class="hashtag" data-tag="twittermigration" href="https://example.org/tag/twittermigration" rel="tag ugc">#TwitterMigration</a>.<br><br>In fact, 100,000 new accounts have been created since last night.<br><br>Since last night's spike 8,000-12,000 new accounts are being created every hour.<br><br>Yesterday, I estimated that Mastodon would have 8 million users by the end of the week. That might happen a lot sooner if this trend continues.`, ap.ExtractContent(note))
|
||||
suite.Equal(`UPDATE: As of this morning there are now more than 7 million Mastodon users, most from the <a class="hashtag" href="https://example.org/tag/twittermigration" rel="tag ugc nofollow noreferrer noopener" target="_blank">#TwitterMigration</a>.<br><br>In fact, 100,000 new accounts have been created since last night.<br><br>Since last night's spike 8,000-12,000 new accounts are being created every hour.<br><br>Yesterday, I estimated that Mastodon would have 8 million users by the end of the week. That might happen a lot sooner if this trend continues.`, ap.ExtractContent(note))
|
||||
}
|
||||
|
||||
func (suite *NormalizeTestSuite) TestNormalizeStatusableAttachmentsOneAttachment() {
|
||||
|
|
@ -224,7 +224,7 @@ func (suite *NormalizeTestSuite) TestNormalizeStatusableAttachmentsOneAttachment
|
|||
"@context": "https://www.w3.org/ns/activitystreams",
|
||||
"attachment": {
|
||||
"mediaType": "image/jpeg",
|
||||
"name": "DESCRIPTION: here's \u003c\u003ca\u003e\u003e picture of a #cat, it's cute! here's some special characters: \"\" \\ weeee''''",
|
||||
"name": "DESCRIPTION: here's \u003c\u003e picture of a #cat, it's cute! here's some special characters: \"\" \\ weeee''''",
|
||||
"type": "Document",
|
||||
"url": "https://files.example.org/media_attachments/files/110/258/459/579/509/026/original/b65392ebe0fb04ef.jpeg"
|
||||
},
|
||||
|
|
@ -265,7 +265,7 @@ func (suite *NormalizeTestSuite) TestNormalizeStatusableAttachmentsOneAttachment
|
|||
"@context": "https://www.w3.org/ns/activitystreams",
|
||||
"attachment": {
|
||||
"mediaType": "image/jpeg",
|
||||
"name": "DESCRIPTION: here's \u003c\u003ca\u003e\u003e picture of a #cat, it's cute! here's some special characters: \"\" \\ weeee''''",
|
||||
"name": "DESCRIPTION: here's \u003c\u003e picture of a #cat, it's cute! here's some special characters: \"\" \\ weeee''''",
|
||||
"type": "Document",
|
||||
"url": "https://files.example.org/media_attachments/files/110/258/459/579/509/026/original/b65392ebe0fb04ef.jpeg"
|
||||
},
|
||||
|
|
@ -304,7 +304,7 @@ func (suite *NormalizeTestSuite) TestNormalizeStatusableAttachmentsMultipleAttac
|
|||
},
|
||||
{
|
||||
"mediaType": "image/jpeg",
|
||||
"name": "danger: #cute%20but%20will%20claw%20you%20:(",
|
||||
"name": "image of a cat \u0026amp; there's a note saying: \u0026lt;danger: #cute but will claw you :(\u0026gt;",
|
||||
"type": "Document",
|
||||
"url": "https://files.example.org/media_attachments/files/110/258/459/579/509/026/original/b65392ebe0fb04ef.jpeg"
|
||||
}
|
||||
|
|
@ -326,7 +326,7 @@ func (suite *NormalizeTestSuite) TestNormalizeStatusableAttachmentsMultipleAttac
|
|||
"attachment": [
|
||||
{
|
||||
"mediaType": "image/jpeg",
|
||||
"name": "DESCRIPTION: here's \u003c\u003ca\u003e\u003e picture of a #cat, it's cute! here's some special characters: \"\" \\ weeee''''",
|
||||
"name": "DESCRIPTION: here's \u003c\u003e picture of a #cat, it's cute! here's some special characters: \"\" \\ weeee''''",
|
||||
"type": "Document",
|
||||
"url": "https://files.example.org/media_attachments/files/110/258/459/579/509/026/original/b65392ebe0fb04ef.jpeg"
|
||||
},
|
||||
|
|
@ -343,7 +343,7 @@ func (suite *NormalizeTestSuite) TestNormalizeStatusableAttachmentsMultipleAttac
|
|||
},
|
||||
{
|
||||
"mediaType": "image/jpeg",
|
||||
"name": "danger: #cute but will claw you :(",
|
||||
"name": "image of a cat \u0026 there's a note saying:",
|
||||
"type": "Document",
|
||||
"url": "https://files.example.org/media_attachments/files/110/258/459/579/509/026/original/b65392ebe0fb04ef.jpeg"
|
||||
}
|
||||
|
|
@ -380,7 +380,7 @@ func (suite *NormalizeTestSuite) TestNormalizeStatusableSummary() {
|
|||
suite.Equal(`warning: #WEIRD%20%23SUMMARY%20;;;;a;;a;asv%20%20%20%20khop8273987(*%5E&%5E)`, ap.ExtractSummary(statusable))
|
||||
|
||||
ap.NormalizeIncomingSummary(statusable, rawAccount)
|
||||
suite.Equal(`warning: #WEIRD #SUMMARY ;;;;a;;a;asv khop8273987(*^&^)`, ap.ExtractSummary(statusable))
|
||||
suite.Equal(`warning: #WEIRD #SUMMARY ;;;;a;;a;asv khop8273987(*^&^)`, ap.ExtractSummary(statusable))
|
||||
}
|
||||
|
||||
func (suite *NormalizeTestSuite) TestNormalizeStatusableName() {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue