fix some XSS maybe

Signed-off-by: Sam Therapy <sam@samtherapy.net>
This commit is contained in:
Sam Therapy 2022-11-26 18:07:28 +01:00
parent 7ad1637a7a
commit 1f1b72a11f
Signed by: sam
GPG key ID: 4D8B07C18F31ACBD

View file

@ -71,10 +71,11 @@ defmodule Pleroma.HTML.Scrubber.Default do
# restrict img tags to http/https only, because of MediaProxy.
Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
Meta.allow_tag_with_this_attribute_values(:img, ["class"], ["emoji"])
Meta.allow_tag_with_these_attributes(:img, [
"width",
"height",
"class",
"title",
"alt"
])