Strip unsafe html on output in TwAPI.

2017-06-18 13:40:35 +02:00 · 2017-06-18 13:40:35 +02:00 · 8feec8d390
commit 8feec8d390
parent a9bfbcae80
2 changed files with 3 additions and 3 deletions
--- a/lib/pleroma/web/twitter_api/representers/activity_representer.ex
+++ b/lib/pleroma/web/twitter_api/representers/activity_representer.ex
@ -105,7 +105,7 @@ def to_map(%Activity{data: %{"object" => %{"content" => content} = object}} = ac
      "id" => activity.id,
      "user" => UserRepresenter.to_map(user, opts),
      "attentions" => [],
-      "statusnet_html" => content,
+      "statusnet_html" => HtmlSanitizeEx.basic_html(content),
      "text" => HtmlSanitizeEx.strip_tags(content),
      "is_local" => true,
      "is_post_verb" => true,
--- a/test/web/twitter_api/representers/activity_representer_test.exs
+++ b/test/web/twitter_api/representers/activity_representer_test.exs
@ -67,7 +67,7 @@ test "an activity" do
      }
    }

-    content_html = "Some #content #mentioning <a href='#{mentioned_user.ap_id}'>@shp</shp>"
+    content_html = "<script>alert('YAY')</script>Some #content #mentioning <a href='#{mentioned_user.ap_id}'>@shp</a>"
    content = HtmlSanitizeEx.strip_tags(content_html)
    date = DateTime.from_naive!(~N[2016-05-24 13:26:08.003], "Etc/UTC") |> DateTime.to_iso8601

@ -108,7 +108,7 @@ test "an activity" do
      "user" => UserRepresenter.to_map(user, %{for: follower}),
      "is_local" => true,
      "attentions" => [],
-      "statusnet_html" => content_html <> "<br>\n#nsfw",
+      "statusnet_html" => HtmlSanitizeEx.basic_html(content_html) <> "<br />\n#nsfw",
      "text" => content <> "\n#nsfw",
      "is_post_verb" => true,
      "created_at" => "Tue May 24 13:26:08 +0000 2016",