Merge branch 'mastoapi-non-html-strings' into 'develop'

mastodon API: do not sanitize html in non-html fields See merge request pleroma/pleroma!2167
author: feld <feld@feld.me> 2020-02-06 16:08:23 +0000
committer: feld <feld@feld.me> 2020-02-06 16:08:23 +0000
commit: df0b00b32dbfa15cfd941c87bea6b32a43625f75 (patch)
tree: 569b9ba90402ec0bf8cc04a30312c7caf674c5e6
parent: e12bf05f23c49212d2d75a32593c00dda5ead677 (diff)
parent: 983a87175e6f83da1828630cbaad4b33b04c6d81 (diff)
6 files changed, 10 insertions, 25 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1b6ba53d4..b470b74ed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -42,6 +42,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - **Breaking:** Admin API: `PUT /api/pleroma/admin/reports/:id` is now `PATCH /api/pleroma/admin/reports`, see admin_api.md for details
 - **Breaking:** `/api/pleroma/admin/users/invite_token` now uses `POST`, changed accepted params and returns full invite in json instead of only token string.
 - **Breaking** replying to reports is now "report notes", enpoint changed from `POST /api/pleroma/admin/reports/:id/respond` to `POST /api/pleroma/admin/reports/:id/notes`
+- Mastodon API: stopped sanitizing display names, field names and subject fields since they are supposed to be treated as plaintext
 - Admin API: Return `total` when querying for reports
 - Mastodon API: Return `pleroma.direct_conversation_id` when creating a direct message (`POST /api/v1/statuses`)
 - Admin API: Return link alongside with token on password reset
diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex
index a5420f480..c6d37ead7 100644
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@@ -67,7 +67,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
   end
 
   defp do_render("show.json", %{user: user} = opts) do
-    display_name = HTML.strip_tags(user.name || user.nickname)
+    display_name = user.name || user.nickname
 
     image = User.avatar_url(user) |> MediaProxy.url()
     header = User.banner_url(user) |> MediaProxy.url()
@@ -105,7 +105,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
       |> User.fields()
       |> Enum.map(fn %{"name" => name, "value" => value} ->
         %{
-          "name" => Pleroma.HTML.strip_tags(name),
+          "name" => name,
           "value" => Pleroma.HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
         }
       end)
diff --git a/lib/pleroma/web/mastodon_api/views/poll_view.ex b/lib/pleroma/web/mastodon_api/views/poll_view.ex
index 753039da3..6bb3652fb 100644
--- a/lib/pleroma/web/mastodon_api/views/poll_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/poll_view.ex
@@ -5,7 +5,6 @@
 defmodule Pleroma.Web.MastodonAPI.PollView do
   use Pleroma.Web, :view
 
-  alias Pleroma.HTML
   alias Pleroma.Web.CommonAPI.Utils
 
   def render("show.json", %{object: object, multiple: multiple, options: options} = params) do
@@ -57,7 +56,7 @@ defmodule Pleroma.Web.MastodonAPI.PollView do
       current_count = option["replies"]["totalItems"] || 0
 
       {%{
-         title: HTML.strip_tags(name),
+         title: name,
          votes_count: current_count
        }, current_count + count}
     end)
diff --git a/lib/pleroma/web/mastodon_api/views/status_view.ex b/lib/pleroma/web/mastodon_api/views/status_view.ex
index 5df29d93f..6cb158bbf 100644
--- a/lib/pleroma/web/mastodon_api/views/status_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/status_view.ex
@@ -216,21 +216,6 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
 
     summary = object.data["summary"] || ""
 
-    summary_html =
-      summary
-      |> HTML.get_cached_scrubbed_html_for_activity(
-        User.html_filter_policy(opts[:for]),
-        activity,
-        "mastoapi:summary"
-      )
-
-    summary_plaintext =
-      summary
-      |> HTML.get_cached_stripped_html_for_activity(
-        activity,
-        "mastoapi:summary"
-      )
-
     card = render("card.json", Pleroma.Web.RichMedia.Helpers.fetch_data_for_activity(activity))
 
     url =
@@ -286,7 +271,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
       muted: thread_muted? || User.mutes?(opts[:for], user),
       pinned: pinned?(activity, user),
       sensitive: sensitive,
-      spoiler_text: summary_html,
+      spoiler_text: summary,
       visibility: get_visibility(object),
       media_attachments: attachments,
       poll: render(PollView, "show.json", object: object, for: opts[:for]),
@@ -303,7 +288,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
         conversation_id: get_context_id(activity),
         in_reply_to_account_acct: reply_to_user && reply_to_user.nickname,
         content: %{"text/plain" => content_plaintext},
-        spoiler_text: %{"text/plain" => summary_plaintext},
+        spoiler_text: %{"text/plain" => summary},
         expires_at: expires_at,
         direct_conversation_id: direct_conversation_id,
         thread_muted: thread_muted?,
diff --git a/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs b/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs
index 09bdc46e0..82d9e7d2f 100644
--- a/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs
+++ b/test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs
@@ -269,7 +269,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
         |> json_response(200)
 
       assert account_data["fields"] == [
-               %{"name" => "foo", "value" => "bar"},
+               %{"name" => "<a href=\"http://google.com\">foo</a>", "value" => "bar"},
                %{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)}
              ]
 
@@ -297,7 +297,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
         |> json_response(200)
 
       assert account["fields"] == [
-               %{"name" => "foo", "value" => "bar"},
+               %{"name" => "<a href=\"http://google.com\">foo</a>", "value" => "bar"},
                %{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)}
              ]
 
diff --git a/test/web/mastodon_api/views/account_view_test.exs b/test/web/mastodon_api/views/account_view_test.exs
index 2107bb85c..00c294845 100644
--- a/test/web/mastodon_api/views/account_view_test.exs
+++ b/test/web/mastodon_api/views/account_view_test.exs
@@ -368,10 +368,10 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
     assert result.pleroma[:settings_store] == nil
   end
 
-  test "sanitizes display names" do
+  test "doesn't sanitize display names" do
     user = insert(:user, name: "<marquee> username </marquee>")
     result = AccountView.render("show.json", %{user: user})
-    refute result.display_name == "<marquee> username </marquee>"
+    assert result.display_name == "<marquee> username </marquee>"
   end
 
   test "never display nil user follow counts" do
author	feld <feld@feld.me>	2020-02-06 16:08:23 +0000
committer	feld <feld@feld.me>	2020-02-06 16:08:23 +0000
commit	df0b00b32dbfa15cfd941c87bea6b32a43625f75 (patch)
tree	569b9ba90402ec0bf8cc04a30312c7caf674c5e6
parent	e12bf05f23c49212d2d75a32593c00dda5ead677 (diff)
parent	983a87175e6f83da1828630cbaad4b33b04c6d81 (diff)