mastodon API: do not sanitize html in non-html fields
This commit is contained in:
parent
946de2299c
commit
983a87175e
6 changed files with 10 additions and 25 deletions
|
@ -37,6 +37,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- **Breaking:** Admin API: `PUT /api/pleroma/admin/reports/:id` is now `PATCH /api/pleroma/admin/reports`, see admin_api.md for details
|
- **Breaking:** Admin API: `PUT /api/pleroma/admin/reports/:id` is now `PATCH /api/pleroma/admin/reports`, see admin_api.md for details
|
||||||
- **Breaking:** `/api/pleroma/admin/users/invite_token` now uses `POST`, changed accepted params and returns full invite in json instead of only token string.
|
- **Breaking:** `/api/pleroma/admin/users/invite_token` now uses `POST`, changed accepted params and returns full invite in json instead of only token string.
|
||||||
- **Breaking** replying to reports is now "report notes", enpoint changed from `POST /api/pleroma/admin/reports/:id/respond` to `POST /api/pleroma/admin/reports/:id/notes`
|
- **Breaking** replying to reports is now "report notes", enpoint changed from `POST /api/pleroma/admin/reports/:id/respond` to `POST /api/pleroma/admin/reports/:id/notes`
|
||||||
|
- Mastodon API: stopped sanitizing display names, field names and subject fields since they are supposed to be treated as plaintext
|
||||||
- Admin API: Return `total` when querying for reports
|
- Admin API: Return `total` when querying for reports
|
||||||
- Mastodon API: Return `pleroma.direct_conversation_id` when creating a direct message (`POST /api/v1/statuses`)
|
- Mastodon API: Return `pleroma.direct_conversation_id` when creating a direct message (`POST /api/v1/statuses`)
|
||||||
- Admin API: Return link alongside with token on password reset
|
- Admin API: Return link alongside with token on password reset
|
||||||
|
|
|
@ -67,7 +67,7 @@ def render("relationships.json", %{user: user, targets: targets}) do
|
||||||
end
|
end
|
||||||
|
|
||||||
defp do_render("show.json", %{user: user} = opts) do
|
defp do_render("show.json", %{user: user} = opts) do
|
||||||
display_name = HTML.strip_tags(user.name || user.nickname)
|
display_name = user.name || user.nickname
|
||||||
|
|
||||||
image = User.avatar_url(user) |> MediaProxy.url()
|
image = User.avatar_url(user) |> MediaProxy.url()
|
||||||
header = User.banner_url(user) |> MediaProxy.url()
|
header = User.banner_url(user) |> MediaProxy.url()
|
||||||
|
@ -105,7 +105,7 @@ defp do_render("show.json", %{user: user} = opts) do
|
||||||
|> User.fields()
|
|> User.fields()
|
||||||
|> Enum.map(fn %{"name" => name, "value" => value} ->
|
|> Enum.map(fn %{"name" => name, "value" => value} ->
|
||||||
%{
|
%{
|
||||||
"name" => Pleroma.HTML.strip_tags(name),
|
"name" => name,
|
||||||
"value" => Pleroma.HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
|
"value" => Pleroma.HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
|
||||||
}
|
}
|
||||||
end)
|
end)
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
defmodule Pleroma.Web.MastodonAPI.PollView do
|
defmodule Pleroma.Web.MastodonAPI.PollView do
|
||||||
use Pleroma.Web, :view
|
use Pleroma.Web, :view
|
||||||
|
|
||||||
alias Pleroma.HTML
|
|
||||||
alias Pleroma.Web.CommonAPI.Utils
|
alias Pleroma.Web.CommonAPI.Utils
|
||||||
|
|
||||||
def render("show.json", %{object: object, multiple: multiple, options: options} = params) do
|
def render("show.json", %{object: object, multiple: multiple, options: options} = params) do
|
||||||
|
@ -57,7 +56,7 @@ defp options_and_votes_count(options) do
|
||||||
current_count = option["replies"]["totalItems"] || 0
|
current_count = option["replies"]["totalItems"] || 0
|
||||||
|
|
||||||
{%{
|
{%{
|
||||||
title: HTML.strip_tags(name),
|
title: name,
|
||||||
votes_count: current_count
|
votes_count: current_count
|
||||||
}, current_count + count}
|
}, current_count + count}
|
||||||
end)
|
end)
|
||||||
|
|
|
@ -216,21 +216,6 @@ def render("show.json", %{activity: %{data: %{"object" => _object}} = activity}
|
||||||
|
|
||||||
summary = object.data["summary"] || ""
|
summary = object.data["summary"] || ""
|
||||||
|
|
||||||
summary_html =
|
|
||||||
summary
|
|
||||||
|> HTML.get_cached_scrubbed_html_for_activity(
|
|
||||||
User.html_filter_policy(opts[:for]),
|
|
||||||
activity,
|
|
||||||
"mastoapi:summary"
|
|
||||||
)
|
|
||||||
|
|
||||||
summary_plaintext =
|
|
||||||
summary
|
|
||||||
|> HTML.get_cached_stripped_html_for_activity(
|
|
||||||
activity,
|
|
||||||
"mastoapi:summary"
|
|
||||||
)
|
|
||||||
|
|
||||||
card = render("card.json", Pleroma.Web.RichMedia.Helpers.fetch_data_for_activity(activity))
|
card = render("card.json", Pleroma.Web.RichMedia.Helpers.fetch_data_for_activity(activity))
|
||||||
|
|
||||||
url =
|
url =
|
||||||
|
@ -282,7 +267,7 @@ def render("show.json", %{activity: %{data: %{"object" => _object}} = activity}
|
||||||
muted: thread_muted? || User.mutes?(opts[:for], user),
|
muted: thread_muted? || User.mutes?(opts[:for], user),
|
||||||
pinned: pinned?(activity, user),
|
pinned: pinned?(activity, user),
|
||||||
sensitive: sensitive,
|
sensitive: sensitive,
|
||||||
spoiler_text: summary_html,
|
spoiler_text: summary,
|
||||||
visibility: get_visibility(object),
|
visibility: get_visibility(object),
|
||||||
media_attachments: attachments,
|
media_attachments: attachments,
|
||||||
poll: render(PollView, "show.json", object: object, for: opts[:for]),
|
poll: render(PollView, "show.json", object: object, for: opts[:for]),
|
||||||
|
@ -299,7 +284,7 @@ def render("show.json", %{activity: %{data: %{"object" => _object}} = activity}
|
||||||
conversation_id: get_context_id(activity),
|
conversation_id: get_context_id(activity),
|
||||||
in_reply_to_account_acct: reply_to_user && reply_to_user.nickname,
|
in_reply_to_account_acct: reply_to_user && reply_to_user.nickname,
|
||||||
content: %{"text/plain" => content_plaintext},
|
content: %{"text/plain" => content_plaintext},
|
||||||
spoiler_text: %{"text/plain" => summary_plaintext},
|
spoiler_text: %{"text/plain" => summary},
|
||||||
expires_at: expires_at,
|
expires_at: expires_at,
|
||||||
direct_conversation_id: direct_conversation_id,
|
direct_conversation_id: direct_conversation_id,
|
||||||
thread_muted: thread_muted?,
|
thread_muted: thread_muted?,
|
||||||
|
|
|
@ -269,7 +269,7 @@ test "update fields", %{conn: conn} do
|
||||||
|> json_response(200)
|
|> json_response(200)
|
||||||
|
|
||||||
assert account_data["fields"] == [
|
assert account_data["fields"] == [
|
||||||
%{"name" => "foo", "value" => "bar"},
|
%{"name" => "<a href=\"http://google.com\">foo</a>", "value" => "bar"},
|
||||||
%{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)}
|
%{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
@ -297,7 +297,7 @@ test "update fields", %{conn: conn} do
|
||||||
|> json_response(200)
|
|> json_response(200)
|
||||||
|
|
||||||
assert account["fields"] == [
|
assert account["fields"] == [
|
||||||
%{"name" => "foo", "value" => "bar"},
|
%{"name" => "<a href=\"http://google.com\">foo</a>", "value" => "bar"},
|
||||||
%{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)}
|
%{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)}
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
|
@ -368,10 +368,10 @@ test "returns the settings store if the requesting user is the represented user
|
||||||
assert result.pleroma[:settings_store] == nil
|
assert result.pleroma[:settings_store] == nil
|
||||||
end
|
end
|
||||||
|
|
||||||
test "sanitizes display names" do
|
test "doesn't sanitize display names" do
|
||||||
user = insert(:user, name: "<marquee> username </marquee>")
|
user = insert(:user, name: "<marquee> username </marquee>")
|
||||||
result = AccountView.render("show.json", %{user: user})
|
result = AccountView.render("show.json", %{user: user})
|
||||||
refute result.display_name == "<marquee> username </marquee>"
|
assert result.display_name == "<marquee> username </marquee>"
|
||||||
end
|
end
|
||||||
|
|
||||||
test "never display nil user follow counts" do
|
test "never display nil user follow counts" do
|
||||||
|
|
Loading…
Reference in a new issue