From 6d4f99d9b30d2b0412dcc7b20ef5a87000a54892 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Sat, 26 Nov 2022 16:07:26 -0600
Subject: [PATCH 1/2] Disable inline images

---
 config/config.exs                                           | 4 +---
 priv/scrubbers/default.ex                                   | 1 -
 test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs | 4 ++++
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/config/config.exs b/config/config.exs
index 89fd481d15..08e6c0bc4e 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -274,9 +274,7 @@
   }
 
 config :pleroma, :markup,
-  # XXX - unfortunately, inline images must be enabled by default right now, because
-  # of custom emoji.  Issue #275 discusses defanging that somehow.
-  allow_inline_images: true,
+  allow_inline_images: false,
   allow_headings: false,
   allow_tables: false,
   allow_fonts: false,
diff --git a/priv/scrubbers/default.ex b/priv/scrubbers/default.ex
index afb94e5af7..3486a3d471 100644
--- a/priv/scrubbers/default.ex
+++ b/priv/scrubbers/default.ex
@@ -79,7 +79,6 @@ defmodule Pleroma.HTML.Scrubber.Default do
     Meta.allow_tag_with_these_attributes(:img, [
       "width",
       "height",
-      "class",
       "title",
       "alt"
     ])
diff --git a/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs b/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs
index 66a8f4e44a..530c5f4a08 100644
--- a/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs
+++ b/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs
@@ -15,6 +15,8 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do
   this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
   this is an image: <img src="http://example.com/image.jpg"><br />
   <script>alert('hacked')</script>
+  <div class="wow no classes here">mean</div>
+  <img class="hehe" src="somewhere" />
   """
 
   @expected """
@@ -25,6 +27,8 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do
   this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a>
   this is an image: <img src="http://example.com/image.jpg"/><br/>
   alert(&#39;hacked&#39;)
+  mean
+  <img src="somewhere"/>
   """
 
   test "it filter html tags" do

From 2714e770c7de74b6807ac40e6b16008cfc31d8dc Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Sat, 26 Nov 2022 17:07:15 -0600
Subject: [PATCH 2/2] Allow inline images in tests (for now)

---
 config/test.exs                       | 4 ++++
 test/pleroma/emoji/formatter_test.exs | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/test.exs b/config/test.exs
index b7ac741c08..c4bec4c66f 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -145,6 +145,10 @@
 # https://dashbit.co/blog/speeding-up-re-compilation-of-elixir-projects
 config :phoenix, :plug_init_mode, :runtime
 
+# Allow inline images in tests (for now).
+# FIXME: rework/remove tests that depend on this.
+config :pleroma, :markup, allow_inline_images: true
+
 if File.exists?("./config/test.secret.exs") do
   import_config "test.secret.exs"
 else
diff --git a/test/pleroma/emoji/formatter_test.exs b/test/pleroma/emoji/formatter_test.exs
index 7bacea3618..2ca2d07177 100644
--- a/test/pleroma/emoji/formatter_test.exs
+++ b/test/pleroma/emoji/formatter_test.exs
@@ -11,7 +11,7 @@ test "it adds cool emoji" do
       text = "I love :firefox:"
 
       expected_result =
-        "I love <img class=\"emoji\" alt=\"firefox\" title=\"firefox\" src=\"/emoji/Firefox.gif\"/>"
+        "I love <img alt=\"firefox\" title=\"firefox\" src=\"/emoji/Firefox.gif\"/>"
 
       assert Formatter.emojify(text) == expected_result
     end