Escape HTML instead of discarding it.
This commit is contained in:
parent
4647bcd6e6
commit
66e78c3ec4
@ -58,7 +58,8 @@ def add_attachments(text, attachments) do
|
||||
end
|
||||
|
||||
def format_input(text, mentions, tags) do
|
||||
HtmlSanitizeEx.strip_tags(text)
|
||||
Phoenix.HTML.html_escape(text)
|
||||
|> elem(1)
|
||||
|> Formatter.linkify
|
||||
|> String.replace("\n", "<br>\n")
|
||||
|> add_user_links(mentions)
|
||||
|
@ -34,7 +34,7 @@ test "create a status" do
|
||||
|
||||
{ :ok, activity = %Activity{} } = TwitterAPI.create_status(user, input)
|
||||
|
||||
assert get_in(activity.data, ["object", "content"]) == "Hello again, <a href='shp'>@shp</a>.<br>\nThis is on another line. #2hu #epic #phantasmagoric<br>\n<a href=\"http://example.org/image.jpg\" class='attachment'>image.jpg</a>"
|
||||
assert get_in(activity.data, ["object", "content"]) == "Hello again, <a href='shp'>@shp</a>.<script></script><br>\nThis is on another line. #2hu #epic #phantasmagoric<br>\n<a href=\"http://example.org/image.jpg\" class='attachment'>image.jpg</a>"
|
||||
assert get_in(activity.data, ["object", "type"]) == "Note"
|
||||
assert get_in(activity.data, ["object", "actor"]) == user.ap_id
|
||||
assert get_in(activity.data, ["actor"]) == user.ap_id
|
||||
|
Loading…
Reference in New Issue
Block a user