Merge remote-tracking branch 'soapbox/develop' into pleroma-events

2022-11-27 14:09:03 +01:00 · 2022-11-27 14:09:03 +01:00 · 1d011e6ed2
commit 1d011e6ed2
parent 58c70c88c2 cce9083282
5 changed files with 10 additions and 5 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -274,9 +274,7 @@
  }

 config :pleroma, :markup,
-  # XXX - unfortunately, inline images must be enabled by default right now, because
-  # of custom emoji.  Issue #275 discusses defanging that somehow.
-  allow_inline_images: true,
+  allow_inline_images: false,
  allow_headings: false,
  allow_tables: false,
  allow_fonts: false,
--- a/config/test.exs
+++ b/config/test.exs
@ -147,6 +147,10 @@
 # https://dashbit.co/blog/speeding-up-re-compilation-of-elixir-projects
 config :phoenix, :plug_init_mode, :runtime

+# Allow inline images in tests (for now).
+# FIXME: rework/remove tests that depend on this.
+config :pleroma, :markup, allow_inline_images: true
+
 if File.exists?("./config/test.secret.exs") do
  import_config "test.secret.exs"
 else
--- a/priv/scrubbers/default.ex
+++ b/priv/scrubbers/default.ex
@ -79,7 +79,6 @@ defmodule Pleroma.HTML.Scrubber.Default do
    Meta.allow_tag_with_these_attributes(:img, [
      "width",
      "height",
-      "class",
      "title",
      "alt"
    ])
--- a/test/pleroma/emoji/formatter_test.exs
+++ b/test/pleroma/emoji/formatter_test.exs
@ -11,7 +11,7 @@ test "it adds cool emoji" do
      text = "I love :firefox:"

      expected_result =
-        "I love <img class=\"emoji\" alt=\"firefox\" title=\"firefox\" src=\"/emoji/Firefox.gif\"/>"
+        "I love <img alt=\"firefox\" title=\"firefox\" src=\"/emoji/Firefox.gif\"/>"

      assert Formatter.emojify(text) == expected_result
    end
--- a/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs
+++ b/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs
@ -15,6 +15,8 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do
  this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
  this is an image: <img src="http://example.com/image.jpg"><br />
  <script>alert('hacked')</script>
+  <div class="wow no classes here">mean</div>
+  <img class="hehe" src="somewhere" />
  """

  @expected """
@ -25,6 +27,8 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do
  this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a>
  this is an image: <img src="http://example.com/image.jpg"/><br/>
  alert(&#39;hacked&#39;)
+  mean
+  <img src="somewhere"/>
  """

  test "it filter html tags" do