From 6d4f99d9b30d2b0412dcc7b20ef5a87000a54892 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sat, 26 Nov 2022 16:07:26 -0600 Subject: [PATCH] Disable inline images --- config/config.exs | 4 +--- priv/scrubbers/default.ex | 1 - test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs | 4 ++++ 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/config/config.exs b/config/config.exs index 89fd481d15..08e6c0bc4e 100644 --- a/config/config.exs +++ b/config/config.exs @@ -274,9 +274,7 @@ } config :pleroma, :markup, - # XXX - unfortunately, inline images must be enabled by default right now, because - # of custom emoji. Issue #275 discusses defanging that somehow. - allow_inline_images: true, + allow_inline_images: false, allow_headings: false, allow_tables: false, allow_fonts: false, diff --git a/priv/scrubbers/default.ex b/priv/scrubbers/default.ex index afb94e5af7..3486a3d471 100644 --- a/priv/scrubbers/default.ex +++ b/priv/scrubbers/default.ex @@ -79,7 +79,6 @@ defmodule Pleroma.HTML.Scrubber.Default do Meta.allow_tag_with_these_attributes(:img, [ "width", "height", - "class", "title", "alt" ]) diff --git a/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs b/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs index 66a8f4e44a..530c5f4a08 100644 --- a/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs +++ b/test/pleroma/web/activity_pub/mrf/normalize_markup_test.exs @@ -15,6 +15,8 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do this is a link with not allowed "rel" attribute: example.com this is an image:
+
mean
+ """ @expected """ @@ -25,6 +27,8 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do this is a link with not allowed "rel" attribute: example.com this is an image:
alert('hacked') + mean + """ test "it filter html tags" do