From 66e78c3ec4e524a31a4c12f4dbe682ccbbc0025d Mon Sep 17 00:00:00 2001 From: eal Date: Sat, 18 Nov 2017 14:43:41 +0200 Subject: [PATCH 1/3] Escape HTML instead of discarding it. --- lib/pleroma/web/common_api/utils.ex | 3 ++- test/web/twitter_api/twitter_api_test.exs | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex index 83a656011..21b6226b1 100644 --- a/lib/pleroma/web/common_api/utils.ex +++ b/lib/pleroma/web/common_api/utils.ex @@ -58,7 +58,8 @@ defmodule Pleroma.Web.CommonAPI.Utils do end def format_input(text, mentions, tags) do - HtmlSanitizeEx.strip_tags(text) + Phoenix.HTML.html_escape(text) + |> elem(1) |> Formatter.linkify |> String.replace("\n", "
\n") |> add_user_links(mentions) diff --git a/test/web/twitter_api/twitter_api_test.exs b/test/web/twitter_api/twitter_api_test.exs index 994cc8f90..8698686ad 100644 --- a/test/web/twitter_api/twitter_api_test.exs +++ b/test/web/twitter_api/twitter_api_test.exs @@ -34,7 +34,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do { :ok, activity = %Activity{} } = TwitterAPI.create_status(user, input) - assert get_in(activity.data, ["object", "content"]) == "Hello again, @shp.
\nThis is on another line. #2hu #epic #phantasmagoric
\nimage.jpg" + assert get_in(activity.data, ["object", "content"]) == "Hello again, @shp.<script></script>
\nThis is on another line. #2hu #epic #phantasmagoric
\nimage.jpg" assert get_in(activity.data, ["object", "type"]) == "Note" assert get_in(activity.data, ["object", "actor"]) == user.ap_id assert get_in(activity.data, ["actor"]) == user.ap_id From fb118b2978686a44a15534b638ab7887fb38c03d Mon Sep 17 00:00:00 2001 From: eal Date: Sat, 18 Nov 2017 14:46:54 +0200 Subject: [PATCH 2/3] Don't insert newlines to generated HTML. MastoFE doesn't like them. --- lib/pleroma/web/common_api/utils.ex | 4 ++-- test/web/common_api/common_api_utils_test.exs | 2 +- test/web/twitter_api/twitter_api_test.exs | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex index 21b6226b1..7cce77b10 100644 --- a/lib/pleroma/web/common_api/utils.ex +++ b/lib/pleroma/web/common_api/utils.ex @@ -54,14 +54,14 @@ defmodule Pleroma.Web.CommonAPI.Utils do "#{shortname(name)}" _ -> "" end) - Enum.join([text | attachment_text], "
\n") + Enum.join([text | attachment_text], "
") end def format_input(text, mentions, tags) do Phoenix.HTML.html_escape(text) |> elem(1) |> Formatter.linkify - |> String.replace("\n", "
\n") + |> String.replace("\n", "
") |> add_user_links(mentions) # |> add_tag_links(tags) end diff --git a/test/web/common_api/common_api_utils_test.exs b/test/web/common_api/common_api_utils_test.exs index a159c0835..f6a7da9ed 100644 --- a/test/web/common_api/common_api_utils_test.exs +++ b/test/web/common_api/common_api_utils_test.exs @@ -11,6 +11,6 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do res = Utils.add_attachments("", [attachment]) - assert res == "
\nSakura Mana – Turned on by a Se…" + assert res == "
Sakura Mana – Turned on by a Se…" end end diff --git a/test/web/twitter_api/twitter_api_test.exs b/test/web/twitter_api/twitter_api_test.exs index 8698686ad..06ecd9e75 100644 --- a/test/web/twitter_api/twitter_api_test.exs +++ b/test/web/twitter_api/twitter_api_test.exs @@ -34,7 +34,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do { :ok, activity = %Activity{} } = TwitterAPI.create_status(user, input) - assert get_in(activity.data, ["object", "content"]) == "Hello again, @shp.<script></script>
\nThis is on another line. #2hu #epic #phantasmagoric
\nimage.jpg" + assert get_in(activity.data, ["object", "content"]) == "Hello again, @shp.<script></script>
This is on another line. #2hu #epic #phantasmagoric
image.jpg" assert get_in(activity.data, ["object", "type"]) == "Note" assert get_in(activity.data, ["object", "actor"]) == user.ap_id assert get_in(activity.data, ["actor"]) == user.ap_id From 31e4277ba5a2a793a0bc94f5d7682a48349583a3 Mon Sep 17 00:00:00 2001 From: eal Date: Sat, 18 Nov 2017 15:25:22 +0200 Subject: [PATCH 3/3] Don't add summary if empty. --- lib/pleroma/web/twitter_api/representers/activity_representer.ex | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/pleroma/web/twitter_api/representers/activity_representer.ex b/lib/pleroma/web/twitter_api/representers/activity_representer.ex index 3fbeb86ba..b17013d87 100644 --- a/lib/pleroma/web/twitter_api/representers/activity_representer.ex +++ b/lib/pleroma/web/twitter_api/representers/activity_representer.ex @@ -135,8 +135,9 @@ defmodule Pleroma.Web.TwitterAPI.Representers.ActivityRepresenter do tags = activity.data["object"]["tag"] || [] possibly_sensitive = Enum.member?(tags, "nsfw") - content = if activity.data["object"]["summary"] do - "#{activity.data["object"]["summary"]}
#{content}" + summary = activity.data["object"]["summary"] + content = if !!summary and summary != "" do + "#{activity.data["object"]["summary"]}
#{content}" else content end