The summary for converted ActivityPub objects must be treated as html according to the ActivityStreams specification #28455
Comments
Menrath
added
bug
Menrath
changed the title
|
Correct me if I'm wrong here but: Rendering any HTML form an unsafe source would open up security risks (XSS and such). While it's in the spec, I doubt it's a good idea to just render any HTML that comes in as is. IF one would implement this you'd have to very carefully try and sanitize it of any malicious stuff (like scripts) imo. |
The content/contentMap of the ActivityPub object is already treated as HTML within Mastodon. Not sure though at which stage the sanitization (convertion to the status.text) takes place. |
from as2-core section 4.1.1 |
And have you come to any different conclusions than I have? |
|
Do you have a link to an example activity that triggers the behavior shown in the screenshot? |
@lesion Made that specific test together with the screenshot, maybe he can provide the JsonLD of the Activity it shows. |
This was a test to check if Mastodon will render the summary as html, something like: {
"actor" : "https://test.cisti.org/federation/u/gancio",
"id" : "https://test.cisti.org/federation/m/3#create",
"object" : {
"attachment" : [
{
"focalPoint" : [
0,
0
],
"mediaType" : "image/jpeg",
"name" : "AP test",
"type" : "Document",
"url" : "https://test.cisti.org/media/e10f1e2e1724a6104b7fed8b46db1f86.jpg"
}
],
"attributedTo" : "https://test.cisti.org/federation/u/gancio",
"cc" : [
"https://test.cisti.org/federation/u/gancio/followers"
],
"content" : "<p>test <strong>description</strong></p>",
"id" : "https://test.cisti.org/federation/m/3",
"location" : {
"address" : "Piazza Castello 1, Torino",
"name" : "Piazza Castello",
"type" : "Place"
},
"name" : "AP test",
"published" : "2024-01-08T11:08:13.261Z",
"startTime" : "2024-01-31T15:15:00.000+01:00",
"summary" : "online, <u>Wednesday, 31 January</u> (15:15)",
"tag" : [
{
"href" : "https://test.cisti.org/tag/test",
"name" : "#test",
"type" : "Hashtag"
}
],
"to" : [
"https://www.w3.org/ns/activitystreams#Public"
],
"type" : "Event",
"url" : "https://test.cisti.org/event/ap-test"
},
"published" : "2024-01-08T17:23:08.378+01:00",
"to" : "https://www.w3.org/ns/activitystreams#Public",
"type" : "Create"
}, |
Currently only expressed as plain text even though it should be HTML because of Mastodon compatibility Ref: https://framagit.org/les/gancio/-/issues/321 Ref: mastodon/mastodon#28455 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
Currently only expressed as plain text even though it should be HTML because of Mastodon compatibility Ref: https://framagit.org/les/gancio/-/issues/321 Ref: mastodon/mastodon#28455 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
Steps to reproduce the problem
Eventfrom with a HTML summary.Expected behaviour
The summary should be treated as HTML by default.
Actual behaviour
The summary is treated as plain text.
The following Screenshot shows what a event received from Gancio then looks like.
Detailed description
The feature introduced in #9823 is basically a great one, without Mastodon implementing custom renderings for ActivityPub objects like
Eventit has basic support for them. The actual convertion likely takes place here:mastodon/app/lib/activitypub/activity/create.rb
Lines 371 to 373 in 2463b53
The ActivityStreams vocabulary specification states that
This will cause interoperability issues with future Gancio, Mobilizon and WordPress ActivityPub releases.
Altough the ActivityPub spec does not mention it, one might also think of accepting custom
MediaTypefor the summary, to handle both plain/text and HTML summaries.See https://framagit.org/les/gancio/-/issues/321#note_2038846
Mastodon instance
All
Mastodon version
Since #9823
Technical details
No response
The text was updated successfully, but these errors were encountered: