diff options
| author | Alex Gleason <alex@alexgleason.me> | 2021-05-04 18:29:25 -0500 |
|---|---|---|
| committer | Alex Gleason <alex@alexgleason.me> | 2021-05-04 18:29:25 -0500 |
| commit | 8b9ff5dab2b0dc4bafe677229e20095bab186a86 (patch) | |
| tree | 84901655ef85eb35d6821d7e7f19e26751e3b9e6 | |
| parent | 3a4ad366d524ed4b90f46ede22991ce5249b9a84 (diff) | |
Sanitize rich media HTML
| -rw-r--r-- | lib/pleroma/web/rich_media/parser/card.ex | 8 | ||||
| -rw-r--r-- | priv/scrubbers/o_embed.ex | 18 |
2 files changed, 25 insertions, 1 deletions
diff --git a/lib/pleroma/web/rich_media/parser/card.ex b/lib/pleroma/web/rich_media/parser/card.ex index fc0e3f6a4..d352eb4c5 100644 --- a/lib/pleroma/web/rich_media/parser/card.ex +++ b/lib/pleroma/web/rich_media/parser/card.ex @@ -28,6 +28,12 @@ defmodule Pleroma.Web.RichMedia.Parser.Card do when type in @types and is_binary(url) do uri = URI.parse(url) + html = + case FastSanitize.Sanitizer.scrub(oembed["html"], Pleroma.HTML.Scrubber.OEmbed) do + {:ok, html} -> html + _ -> "" + end + %Card{ url: url, title: title, @@ -37,7 +43,7 @@ defmodule Pleroma.Web.RichMedia.Parser.Card do author_url: oembed["author_url"], provider_name: oembed["provider_name"] || uri.host, provider_url: oembed["provider_url"] || "#{uri.scheme}://#{uri.host}", - html: oembed["html"], + html: html, width: oembed["width"], height: oembed["height"], image: oembed["thumbnail_url"] |> proxy(), diff --git a/priv/scrubbers/o_embed.ex b/priv/scrubbers/o_embed.ex new file mode 100644 index 000000000..ac419f45d --- /dev/null +++ b/priv/scrubbers/o_embed.ex @@ -0,0 +1,18 @@ +defmodule Pleroma.HTML.Scrubber.OEmbed do + @moduledoc """ + Scrubs OEmbed HTML + """ + require FastSanitize.Sanitizer.Meta + alias FastSanitize.Sanitizer.Meta + + Meta.strip_comments() + + Meta.allow_tag_with_these_attributes(:iframe, [ + "width", + "height", + "src", + "allowfullscreen" + ]) + + Meta.strip_everything_not_covered() +end |