Disable inline images

config/config.exs

@@ -274,9 +274,7 @@
   }
 
 config :pleroma, :markup,
-  # XXX - unfortunately, inline images must be enabled by default right now, because
-  # of custom emoji.  Issue #275 discusses defanging that somehow.
-  allow_inline_images: true,
+  allow_inline_images: false,
   allow_headings: false,
   allow_tables: false,
   allow_fonts: false,

priv/scrubbers/default.ex

@@ -79,7 +79,6 @@ defmodule Pleroma.HTML.Scrubber.Default do
     Meta.allow_tag_with_these_attributes(:img, [
       "width",
       "height",
-      "class",
       "title",
       "alt"
     ])

test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs

@@ -15,6 +15,8 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do
   this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
   this is an image: <img src="http://example.com/image.jpg"><br />
   <script>alert('hacked')</script>
+  <div class="wow no classes here">mean</div>
+  <img class="hehe" src="somewhere" />
   """
 
   @expected """
@@ -25,6 +27,8 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do
   this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a>
   this is an image: <img src="http://example.com/image.jpg"/><br/>
   alert(&#39;hacked&#39;)
+  mean
+  <img src="somewhere"/>
   """
 
   test "it filter html tags" do