html.ex 5.62 KB
Newer Older
1
2
3
4
# Pleroma: A lightweight social networking server
# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

5
6
7
defmodule Pleroma.HTML do
  alias HtmlSanitizeEx.Scrubber

Rin Toshaka's avatar
Rin Toshaka committed
8
9
10
11
12
13
14
15
16
17
18
19
  defp get_scrubbers(scrubber) when is_atom(scrubber), do: [scrubber]
  defp get_scrubbers(scrubbers) when is_list(scrubbers), do: scrubbers
  defp get_scrubbers(_), do: [Pleroma.HTML.Scrubber.Default]

  def get_scrubbers() do
    Pleroma.Config.get([:markup, :scrub_policy])
    |> get_scrubbers
  end

  def filter_tags(html, nil) do
    get_scrubbers()
    |> Enum.reduce(html, fn scrubber, html ->
20
21
      filter_tags(html, scrubber)
    end)
22
23
  end

Maksim's avatar
Maksim committed
24
  def filter_tags(html, scrubber), do: Scrubber.scrub(html, scrubber)
25
  def filter_tags(html), do: filter_tags(html, nil)
Maksim's avatar
Maksim committed
26
  def strip_tags(html), do: Scrubber.scrub(html, Scrubber.StripTags)
27
end
28
29
30
31
32
33
34

defmodule Pleroma.HTML.Scrubber.TwitterText do
  @moduledoc """
  An HTML scrubbing policy which limits to twitter-style text.  Only
  paragraphs, breaks and links are allowed through the filter.
  """

35
36
37
38
  @markup Application.get_env(:pleroma, :markup)
  @uri_schemes Application.get_env(:pleroma, :uri_schemes, [])
  @valid_schemes Keyword.get(@uri_schemes, :valid_schemes, [])

39
40
  require HtmlSanitizeEx.Scrubber.Meta
  alias HtmlSanitizeEx.Scrubber.Meta
41
42
43
44
45

  def version do
    0
  end

46
47
48
49
  Meta.remove_cdata_sections_before_scrub()
  Meta.strip_comments()

  # links
ValD's avatar
ValD committed
50
  Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
51
52
53
54
55
56
57
58
  Meta.allow_tag_with_these_attributes("a", ["name", "title"])

  # paragraphs and linebreaks
  Meta.allow_tag_with_these_attributes("br", [])
  Meta.allow_tag_with_these_attributes("p", [])

  # microformats
  Meta.allow_tag_with_these_attributes("span", [])
59
60
61
62
63

  # allow inline images for custom emoji
  @allow_inline_images Keyword.get(@markup, :allow_inline_images)

  if @allow_inline_images do
64
65
    # restrict img tags to http/https only, because of MediaProxy.
    Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"])
66
67
68
69
70
71
72
73

    Meta.allow_tag_with_these_attributes("img", [
      "width",
      "height",
      "title",
      "alt"
    ])
  end
74
75

  Meta.strip_everything_not_covered()
76
77
78
79
80
81
82
end

defmodule Pleroma.HTML.Scrubber.Default do
  @doc "The default HTML scrubbing policy: no "

  require HtmlSanitizeEx.Scrubber.Meta
  alias HtmlSanitizeEx.Scrubber.Meta
83
84
85
86
87

  def version do
    0
  end

88
89
90
91
  @markup Application.get_env(:pleroma, :markup)
  @uri_schemes Application.get_env(:pleroma, :uri_schemes, [])
  @valid_schemes Keyword.get(@uri_schemes, :valid_schemes, [])

92
93
94
  Meta.remove_cdata_sections_before_scrub()
  Meta.strip_comments()

ValD's avatar
ValD committed
95
  Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], @valid_schemes)
96
97
  Meta.allow_tag_with_these_attributes("a", ["name", "title"])

scarlett's avatar
scarlett committed
98
99
  Meta.allow_tag_with_these_attributes("abbr", ["title"])

100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
  Meta.allow_tag_with_these_attributes("b", [])
  Meta.allow_tag_with_these_attributes("blockquote", [])
  Meta.allow_tag_with_these_attributes("br", [])
  Meta.allow_tag_with_these_attributes("code", [])
  Meta.allow_tag_with_these_attributes("del", [])
  Meta.allow_tag_with_these_attributes("em", [])
  Meta.allow_tag_with_these_attributes("i", [])
  Meta.allow_tag_with_these_attributes("li", [])
  Meta.allow_tag_with_these_attributes("ol", [])
  Meta.allow_tag_with_these_attributes("p", [])
  Meta.allow_tag_with_these_attributes("pre", [])
  Meta.allow_tag_with_these_attributes("span", [])
  Meta.allow_tag_with_these_attributes("strong", [])
  Meta.allow_tag_with_these_attributes("u", [])
  Meta.allow_tag_with_these_attributes("ul", [])

  @allow_inline_images Keyword.get(@markup, :allow_inline_images)

  if @allow_inline_images do
119
120
    # restrict img tags to http/https only, because of MediaProxy.
    Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"])
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

    Meta.allow_tag_with_these_attributes("img", [
      "width",
      "height",
      "title",
      "alt"
    ])
  end

  @allow_tables Keyword.get(@markup, :allow_tables)

  if @allow_tables do
    Meta.allow_tag_with_these_attributes("table", [])
    Meta.allow_tag_with_these_attributes("tbody", [])
    Meta.allow_tag_with_these_attributes("td", [])
    Meta.allow_tag_with_these_attributes("th", [])
    Meta.allow_tag_with_these_attributes("thead", [])
    Meta.allow_tag_with_these_attributes("tr", [])
  end

  @allow_headings Keyword.get(@markup, :allow_headings)

  if @allow_headings do
    Meta.allow_tag_with_these_attributes("h1", [])
    Meta.allow_tag_with_these_attributes("h2", [])
    Meta.allow_tag_with_these_attributes("h3", [])
    Meta.allow_tag_with_these_attributes("h4", [])
    Meta.allow_tag_with_these_attributes("h5", [])
  end

  @allow_fonts Keyword.get(@markup, :allow_fonts)

  if @allow_fonts do
    Meta.allow_tag_with_these_attributes("font", ["face"])
  end

  Meta.strip_everything_not_covered()
end
159
160
161
162
163

defmodule Pleroma.HTML.Transform.MediaProxy do
  @moduledoc "Transforms inline image URIs to use MediaProxy."

  alias Pleroma.Web.MediaProxy
164
165
166
167
168

  def version do
    0
  end

169
170
171
172
173
174
175
176
177
178
  def before_scrub(html), do: html

  def scrub_attribute("img", {"src", "http" <> target}) do
    media_url =
      ("http" <> target)
      |> MediaProxy.url()

    {"src", media_url}
  end

Maksim's avatar
Maksim committed
179
  def scrub_attribute(_tag, attribute), do: attribute
180
181
182
183
184
185
186
187
188
189

  def scrub({"img", attributes, children}) do
    attributes =
      attributes
      |> Enum.map(fn attr -> scrub_attribute("img", attr) end)
      |> Enum.reject(&is_nil(&1))

    {"img", attributes, children}
  end

Maksim's avatar
Maksim committed
190
  def scrub({:comment, _children}), do: ""
191

192
  def scrub({tag, attributes, children}), do: {tag, attributes, children}
Maksim's avatar
Maksim committed
193
  def scrub({_tag, children}), do: children
194
195
  def scrub(text), do: text
end