Strip unsafe html on output in TwAPI.
This commit is contained in:
parent
a9bfbcae80
commit
8feec8d390
@ -105,7 +105,7 @@ def to_map(%Activity{data: %{"object" => %{"content" => content} = object}} = ac
|
|||||||
"id" => activity.id,
|
"id" => activity.id,
|
||||||
"user" => UserRepresenter.to_map(user, opts),
|
"user" => UserRepresenter.to_map(user, opts),
|
||||||
"attentions" => [],
|
"attentions" => [],
|
||||||
"statusnet_html" => content,
|
"statusnet_html" => HtmlSanitizeEx.basic_html(content),
|
||||||
"text" => HtmlSanitizeEx.strip_tags(content),
|
"text" => HtmlSanitizeEx.strip_tags(content),
|
||||||
"is_local" => true,
|
"is_local" => true,
|
||||||
"is_post_verb" => true,
|
"is_post_verb" => true,
|
||||||
|
@ -67,7 +67,7 @@ test "an activity" do
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
content_html = "Some #content #mentioning <a href='#{mentioned_user.ap_id}'>@shp</shp>"
|
content_html = "<script>alert('YAY')</script>Some #content #mentioning <a href='#{mentioned_user.ap_id}'>@shp</a>"
|
||||||
content = HtmlSanitizeEx.strip_tags(content_html)
|
content = HtmlSanitizeEx.strip_tags(content_html)
|
||||||
date = DateTime.from_naive!(~N[2016-05-24 13:26:08.003], "Etc/UTC") |> DateTime.to_iso8601
|
date = DateTime.from_naive!(~N[2016-05-24 13:26:08.003], "Etc/UTC") |> DateTime.to_iso8601
|
||||||
|
|
||||||
@ -108,7 +108,7 @@ test "an activity" do
|
|||||||
"user" => UserRepresenter.to_map(user, %{for: follower}),
|
"user" => UserRepresenter.to_map(user, %{for: follower}),
|
||||||
"is_local" => true,
|
"is_local" => true,
|
||||||
"attentions" => [],
|
"attentions" => [],
|
||||||
"statusnet_html" => content_html <> "<br>\n#nsfw",
|
"statusnet_html" => HtmlSanitizeEx.basic_html(content_html) <> "<br />\n#nsfw",
|
||||||
"text" => content <> "\n#nsfw",
|
"text" => content <> "\n#nsfw",
|
||||||
"is_post_verb" => true,
|
"is_post_verb" => true,
|
||||||
"created_at" => "Tue May 24 13:26:08 +0000 2016",
|
"created_at" => "Tue May 24 13:26:08 +0000 2016",
|
||||||
|
Loading…
Reference in New Issue
Block a user