From 7f0e291483881a5fa8bb714c65b911e8884c68d1 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 22 Sep 2018 03:19:43 +0000 Subject: [PATCH 1/2] html: twittertext: add missing catchall scrub function --- lib/pleroma/html.ex | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/pleroma/html.ex b/lib/pleroma/html.ex index 878fac28c0..cf18f070c6 100644 --- a/lib/pleroma/html.ex +++ b/lib/pleroma/html.ex @@ -69,6 +69,8 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do "alt" ]) end + + Meta.strip_everything_not_covered() end defmodule Pleroma.HTML.Scrubber.Default do From 85b59d07b64ad45fe5213a173e5857418620d171 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Sat, 22 Sep 2018 03:44:19 +0000 Subject: [PATCH 2/2] test: add smoketests for the scrubbing policies --- test/html_test.exs | 80 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 test/html_test.exs diff --git a/test/html_test.exs b/test/html_test.exs new file mode 100644 index 0000000000..f7150759bb --- /dev/null +++ b/test/html_test.exs @@ -0,0 +1,80 @@ +defmodule Pleroma.HTMLTest do + alias Pleroma.HTML + use Pleroma.DataCase + + @html_sample """ + this is in bold +

this is a paragraph

+ this is a linebreak
+ this is an image:
+ + """ + + @html_onerror_sample """ + + """ + + describe "StripTags scrubber" do + test "works as expected" do + expected = """ + this is in bold + this is a paragraph + this is a linebreak + this is an image: + alert('hacked') + """ + + assert expected == HTML.strip_tags(@html_sample) + end + + test "does not allow attribute-based XSS" do + expected = "\n" + + assert expected == HTML.strip_tags(@html_onerror_sample) + end + end + + describe "TwitterText scrubber" do + test "normalizes HTML as expected" do + expected = """ + this is in bold +

this is a paragraph

+ this is a linebreak
+ this is an image:
+ alert('hacked') + """ + + assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.TwitterText) + end + + test "does not allow attribute-based XSS" do + expected = """ + + """ + + assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.TwitterText) + end + end + + describe "default scrubber" do + test "normalizes HTML as expected" do + expected = """ + this is in bold +

this is a paragraph

+ this is a linebreak
+ this is an image:
+ alert('hacked') + """ + + assert expected == HTML.filter_tags(@html_sample, Pleroma.HTML.Scrubber.Default) + end + + test "does not allow attribute-based XSS" do + expected = """ + + """ + + assert expected == HTML.filter_tags(@html_onerror_sample, Pleroma.HTML.Scrubber.Default) + end + end +end