Merge branch 'security/fix-html-class-scrubbing' into 'develop'
html: lock down allowed class attributes to only those related to microformats See merge request pleroma/pleroma!1090
This commit is contained in:
commit
030a7876b4
2 changed files with 96 additions and 4 deletions
|
@ -106,7 +106,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
|
||||||
|
|
||||||
# links
|
# links
|
||||||
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
|
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
|
||||||
Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
|
|
||||||
|
Meta.allow_tag_with_this_attribute_values("a", "class", [
|
||||||
|
"hashtag",
|
||||||
|
"u-url",
|
||||||
|
"mention",
|
||||||
|
"u-url mention",
|
||||||
|
"mention u-url"
|
||||||
|
])
|
||||||
|
|
||||||
Meta.allow_tag_with_this_attribute_values("a", "rel", [
|
Meta.allow_tag_with_this_attribute_values("a", "rel", [
|
||||||
"tag",
|
"tag",
|
||||||
|
@ -115,12 +122,15 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
|
||||||
"noreferrer"
|
"noreferrer"
|
||||||
])
|
])
|
||||||
|
|
||||||
|
Meta.allow_tag_with_these_attributes("a", ["name", "title"])
|
||||||
|
|
||||||
# paragraphs and linebreaks
|
# paragraphs and linebreaks
|
||||||
Meta.allow_tag_with_these_attributes("br", [])
|
Meta.allow_tag_with_these_attributes("br", [])
|
||||||
Meta.allow_tag_with_these_attributes("p", [])
|
Meta.allow_tag_with_these_attributes("p", [])
|
||||||
|
|
||||||
# microformats
|
# microformats
|
||||||
Meta.allow_tag_with_these_attributes("span", ["class"])
|
Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
|
||||||
|
Meta.allow_tag_with_these_attributes("span", [])
|
||||||
|
|
||||||
# allow inline images for custom emoji
|
# allow inline images for custom emoji
|
||||||
@allow_inline_images Keyword.get(@markup, :allow_inline_images)
|
@allow_inline_images Keyword.get(@markup, :allow_inline_images)
|
||||||
|
@ -155,7 +165,14 @@ defmodule Pleroma.HTML.Scrubber.Default do
|
||||||
Meta.strip_comments()
|
Meta.strip_comments()
|
||||||
|
|
||||||
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
|
Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
|
||||||
Meta.allow_tag_with_these_attributes("a", ["name", "title", "class"])
|
|
||||||
|
Meta.allow_tag_with_this_attribute_values("a", "class", [
|
||||||
|
"hashtag",
|
||||||
|
"u-url",
|
||||||
|
"mention",
|
||||||
|
"u-url mention",
|
||||||
|
"mention u-url"
|
||||||
|
])
|
||||||
|
|
||||||
Meta.allow_tag_with_this_attribute_values("a", "rel", [
|
Meta.allow_tag_with_this_attribute_values("a", "rel", [
|
||||||
"tag",
|
"tag",
|
||||||
|
@ -164,6 +181,8 @@ defmodule Pleroma.HTML.Scrubber.Default do
|
||||||
"noreferrer"
|
"noreferrer"
|
||||||
])
|
])
|
||||||
|
|
||||||
|
Meta.allow_tag_with_these_attributes("a", ["name", "title"])
|
||||||
|
|
||||||
Meta.allow_tag_with_these_attributes("abbr", ["title"])
|
Meta.allow_tag_with_these_attributes("abbr", ["title"])
|
||||||
|
|
||||||
Meta.allow_tag_with_these_attributes("b", [])
|
Meta.allow_tag_with_these_attributes("b", [])
|
||||||
|
@ -177,11 +196,13 @@ defmodule Pleroma.HTML.Scrubber.Default do
|
||||||
Meta.allow_tag_with_these_attributes("ol", [])
|
Meta.allow_tag_with_these_attributes("ol", [])
|
||||||
Meta.allow_tag_with_these_attributes("p", [])
|
Meta.allow_tag_with_these_attributes("p", [])
|
||||||
Meta.allow_tag_with_these_attributes("pre", [])
|
Meta.allow_tag_with_these_attributes("pre", [])
|
||||||
Meta.allow_tag_with_these_attributes("span", ["class"])
|
|
||||||
Meta.allow_tag_with_these_attributes("strong", [])
|
Meta.allow_tag_with_these_attributes("strong", [])
|
||||||
Meta.allow_tag_with_these_attributes("u", [])
|
Meta.allow_tag_with_these_attributes("u", [])
|
||||||
Meta.allow_tag_with_these_attributes("ul", [])
|
Meta.allow_tag_with_these_attributes("ul", [])
|
||||||
|
|
||||||
|
Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
|
||||||
|
Meta.allow_tag_with_these_attributes("span", [])
|
||||||
|
|
||||||
@allow_inline_images Keyword.get(@markup, :allow_inline_images)
|
@allow_inline_images Keyword.get(@markup, :allow_inline_images)
|
||||||
|
|
||||||
if @allow_inline_images do
|
if @allow_inline_images do
|
||||||
|
|
|
@ -20,6 +20,18 @@ defmodule Pleroma.HTMLTest do
|
||||||
<img src="http://example.com/image.jpg" onerror="alert('hacked')">
|
<img src="http://example.com/image.jpg" onerror="alert('hacked')">
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
@html_span_class_sample """
|
||||||
|
<span class="animate-spin">hi</span>
|
||||||
|
"""
|
||||||
|
|
||||||
|
@html_span_microformats_sample """
|
||||||
|
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
|
||||||
|
"""
|
||||||
|
|
||||||
|
@html_span_invalid_microformats_sample """
|
||||||
|
<span class="h-card"><a class="u-url mention animate-spin">@<span>foo</span></a></span>
|
||||||
|
"""
|
||||||
|
|
||||||
describe "StripTags scrubber" do
|
describe "StripTags scrubber" do
|
||||||
test "works as expected" do
|
test "works as expected" do
|
||||||
expected = """
|
expected = """
|
||||||
|
@ -64,6 +76,36 @@ test "does not allow attribute-based XSS" do
|
||||||
|
|
||||||
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
|
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "does not allow spans with invalid classes" do
|
||||||
|
expected = """
|
||||||
|
<span>hi</span>
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected ==
|
||||||
|
HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "does allow microformats" do
|
||||||
|
expected = """
|
||||||
|
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected ==
|
||||||
|
HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.TwitterText)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "filters invalid microformats markup" do
|
||||||
|
expected = """
|
||||||
|
<span class="h-card"><a>@<span>foo</span></a></span>
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected ==
|
||||||
|
HTML.filter_tags(
|
||||||
|
@html_span_invalid_microformats_sample,
|
||||||
|
Pleroma.HTML.Scrubber.TwitterText
|
||||||
|
)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "default scrubber" do
|
describe "default scrubber" do
|
||||||
|
@ -88,5 +130,34 @@ test "does not allow attribute-based XSS" do
|
||||||
|
|
||||||
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
|
assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "does not allow spans with invalid classes" do
|
||||||
|
expected = """
|
||||||
|
<span>hi</span>
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "does allow microformats" do
|
||||||
|
expected = """
|
||||||
|
<span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected ==
|
||||||
|
HTML.filter_tags(@html_span_microformats_sample, Pleroma.HTML.Scrubber.Default)
|
||||||
|
end
|
||||||
|
|
||||||
|
test "filters invalid microformats markup" do
|
||||||
|
expected = """
|
||||||
|
<span class="h-card"><a>@<span>foo</span></a></span>
|
||||||
|
"""
|
||||||
|
|
||||||
|
assert expected ==
|
||||||
|
HTML.filter_tags(
|
||||||
|
@html_span_invalid_microformats_sample,
|
||||||
|
Pleroma.HTML.Scrubber.Default
|
||||||
|
)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue