From 175f0bebbc8ee420082b10b00e49e490f65d4c5f Mon Sep 17 00:00:00 2001 From: ensra Date: Tue, 21 Aug 2018 10:53:53 +0100 Subject: [PATCH 1/2] mastodon api: sanitize the bio HTML --- lib/pleroma/web/mastodon_api/views/account_view.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex index cc5261616..d9edcae7f 100644 --- a/lib/pleroma/web/mastodon_api/views/account_view.ex +++ b/lib/pleroma/web/mastodon_api/views/account_view.ex @@ -36,7 +36,7 @@ def render("account.json", %{user: user}) do followers_count: user_info.follower_count, following_count: user_info.following_count, statuses_count: user_info.note_count, - note: user.bio || "", + note: HtmlSanitizeEx.basic_html(user.bio) || "", url: user.ap_id, avatar: image, avatar_static: image, From 2b5db840ee9fc6b6e5229983b31c918e4675e4b2 Mon Sep 17 00:00:00 2001 From: ensra Date: Tue, 21 Aug 2018 15:41:32 +0100 Subject: [PATCH 2/2] attempt to add html validation to mastodon api test case --- test/web/mastodon_api/account_view_test.exs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/web/mastodon_api/account_view_test.exs b/test/web/mastodon_api/account_view_test.exs index 8bf194e6b..35c8a1fb0 100644 --- a/test/web/mastodon_api/account_view_test.exs +++ b/test/web/mastodon_api/account_view_test.exs @@ -20,6 +20,7 @@ test "Represent a user account" do info: %{"note_count" => 5, "follower_count" => 3, "source_data" => source_data}, nickname: "shp@shitposter.club", name: ":karjalanpiirakka: shp", + bio: "valid html", inserted_at: ~N[2017-08-15 15:47:06.597036] }) @@ -33,7 +34,7 @@ test "Represent a user account" do followers_count: 3, following_count: 0, statuses_count: 5, - note: user.bio, + note: "valid html", url: user.ap_id, avatar: "http://localhost:4001/images/avi.png", avatar_static: "http://localhost:4001/images/avi.png",