Whitelist allowed classes for federated statuses (mastodon#3810)

* Whitelist allowed classes for federated statuses Allowed classes are currently: - Any microformats class (h/p/u/dt/e-*) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved mastodon#3790 * Fix code style
koteitan · Jun 25, 2017 · ebe093d · ebe093d
1 parent 5c3cdea
commit ebe093d
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/app/lib/sanitize_config.rb b/app/lib/sanitize_config.rb
@@ -4,6 +4,21 @@ class Sanitize
   module Config
     HTTP_PROTOCOLS ||= ['http', 'https', :relative].freeze
 
+    CLASS_WHITELIST_TRANSFORMER = lambda do |env|
+      node = env[:node]
+      class_list = node['class']&.split(' ')
+
+      return unless class_list
+
+      class_list.keep_if do |e|
+        return true if e =~ /^(h|p|u|dt|e)-/ # microformats classes
+        return true if e =~ /^(mention|hashtag)$/ # semantic classes
+        return true if e =~ /^(ellipsis|invisible)$/ # link formatting classes
+      end
+
+      node['class'] = class_list.join(' ')
+    end
+
     MASTODON_STRICT ||= freeze_config(
       elements: %w(p br span a),
 
@@ -21,7 +36,11 @@ module Config
 
       protocols: {
         'a' => { 'href' => HTTP_PROTOCOLS },
-      }
+      },
+
+      transformers: [
+        CLASS_WHITELIST_TRANSFORMER,
+      ]
     )
 
     MASTODON_OEMBED ||= freeze_config merge(

diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb
@@ -204,6 +204,14 @@
         is_expected.to_not include '<script>alert("Hello")</script>'
       end
     end
+
+    context 'contains malicious classes' do
+      let(:text) { '<span class="status__content__spoiler-link">Show more</span>' }
+
+      it 'strips malicious classes' do
+        is_expected.to_not include 'status__content__spoiler-link'
+      end
+    end
   end
 
   describe '#plaintext' do