From 02f1c04fabab221130de8dfb5611be81825b193b Mon Sep 17 00:00:00 2001
From: Thibaut Girka <thib@sitedethib.com>
Date: Sun, 22 Mar 2020 17:56:49 +0100
Subject: [PATCH] =?UTF-8?q?Make=20sanitizer=20*not*=20add=20no-referrer=20?=
=?UTF-8?q?etc.=20in=20local=20markdown=20toots=20if=20the=20link=20is=20?=
=?UTF-8?q?=E2=80=9Csafe=E2=80=9D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
app/lib/formatter.rb | 6 +++---
app/lib/sanitize_config.rb | 7 +++++--
spec/lib/sanitize_config_spec.rb | 13 ++++++++++++-
3 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb
index b7a0286d2d..051f274082 100644
--- a/app/lib/formatter.rb
+++ b/app/lib/formatter.rb
@@ -59,7 +59,7 @@ class Formatter
html = "RT @#{prepend_reblog} #{html}" if prepend_reblog
html = format_markdown(html) if status.content_type == 'text/markdown'
html = encode_and_link_urls(html, linkable_accounts, keep_html: %w(text/markdown text/html).include?(status.content_type))
- html = reformat(html) if %w(text/markdown text/html).include?(status.content_type)
+ html = reformat(html, true) if %w(text/markdown text/html).include?(status.content_type)
html = encode_custom_emojis(html, status.emojis, options[:autoplay]) if options[:custom_emojify]
unless %w(text/markdown text/html).include?(status.content_type)
@@ -75,8 +75,8 @@ class Formatter
html.delete("\r").delete("\n")
end
- def reformat(html)
- sanitize(html, Sanitize::Config::MASTODON_STRICT)
+ def reformat(html, outgoing = false)
+ sanitize(html, Sanitize::Config::MASTODON_STRICT.merge(outgoing: outgoing))
rescue ArgumentError
''
end
diff --git a/app/lib/sanitize_config.rb b/app/lib/sanitize_config.rb
index 8bbcca4ce5..34793ed93b 100644
--- a/app/lib/sanitize_config.rb
+++ b/app/lib/sanitize_config.rb
@@ -60,7 +60,10 @@ class Sanitize
node = env[:node]
rel = (node['rel'] || '').split(' ') & ['tag']
- node['rel'] = (['nofollow', 'noopener', 'noreferrer'] + rel).join(' ')
+ unless env[:config][:outgoing] && TagManager.instance.local_url?(node['href'])
+ rel += ['nofollow', 'noopener', 'noreferrer']
+ end
+ node['rel'] = rel.join(' ')
end
UNSUPPORTED_HREF_TRANSFORMER = lambda do |env|
@@ -103,8 +106,8 @@ class Sanitize
transformers: [
CLASS_WHITELIST_TRANSFORMER,
IMG_TAG_TRANSFORMER,
- LINK_REL_TRANSFORMER,
UNSUPPORTED_HREF_TRANSFORMER,
+ LINK_REL_TRANSFORMER,
]
)
diff --git a/spec/lib/sanitize_config_spec.rb b/spec/lib/sanitize_config_spec.rb
index 2d82c00eaf..7370c536b6 100644
--- a/spec/lib/sanitize_config_spec.rb
+++ b/spec/lib/sanitize_config_spec.rb
@@ -7,6 +7,12 @@ describe Sanitize::Config do
describe '::MASTODON_STRICT' do
subject { Sanitize::Config::MASTODON_STRICT }
+ around do |example|
+ original_web_domain = Rails.configuration.x.web_domain
+ example.run
+ Rails.configuration.x.web_domain = original_web_domain
+ end
+
it 'keeps h1' do
expect(Sanitize.fragment('<h1>Foo</h1>', subject)).to eq '<h1>Foo</h1>'
end
@@ -32,7 +38,12 @@ describe Sanitize::Config do
end
it 'keeps a with href and rel tag' do
- expect(Sanitize.fragment('<a href="http://example.com" rel="tag">Test</a>', subject)).to eq '<a href="http://example.com" rel="nofollow noopener noreferrer tag" target="_blank">Test</a>'
+ expect(Sanitize.fragment('<a href="http://example.com" rel="tag">Test</a>', subject)).to eq '<a href="http://example.com" rel="tag nofollow noopener noreferrer" target="_blank">Test</a>'
+ end
+
+ it 'keeps a with href and rel tag, not adding to rel if url is local' do
+ Rails.configuration.x.web_domain = 'domain.test'
+ expect(Sanitize.fragment('<a href="http://domain.test/tags/foo" rel="tag">Test</a>', subject.merge(outgoing: true))).to eq '<a href="http://domain.test/tags/foo" rel="tag" target="_blank">Test</a>'
end
end
end