hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge branch 'features/staticfe-sanitization' into 'develop'

Browse source 
static_fe: Sanitize HTML

Closes #1614

See merge request pleroma/pleroma!2299
This commit is contained in:
rinpatch 2020-03-15 19:53:52 +00:00
commit fcf51a77ba
7 changed files with 56 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

14
test/web/static_fe/static_fe_controller_test.exs
View file

@ -110,8 +110,20 @@ defmodule Pleroma.Web.StaticFE.StaticFEControllerTest do
assert html =~ "testing a thing!"
end
test "shows the whole thread", %{conn: conn} do
test "filters HTML tags", %{conn: conn} do
user = insert(:user)
{:ok, activity} = CommonAPI.post(user, %{"status" => "<script>alert('xss')</script>"})
conn =
conn
|> put_req_header("accept", "text/html")
|> get("/notice/#{activity.id}")
html = html_response(conn, 200)
assert html =~ ~s[&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;]
end
test "shows the whole thread", %{conn: conn, user: user} do
{:ok, activity} = CommonAPI.post(user, %{"status" => "space: the final frontier"})
CommonAPI.post(user, %{