diff --git a/config/config.exs b/config/config.exs index 320296991..e5f0b4f6f 100644 --- a/config/config.exs +++ b/config/config.exs @@ -24,7 +24,23 @@ config :pleroma, :emoji, shortcode_globs: ["/emoji/custom/**/*.png"] -config :pleroma, :uri_schemes, additionnal_schemes: [] +config :pleroma, :uri_schemes, + valid_schemes: [ + "https", + "http", + "dat", + "dweb", + "gopher", + "ipfs", + "ipns", + "irc", + "ircs", + "magnet", + "mailto", + "mumble", + "ssb", + "xmpp" + ] # Configures the endpoint config :pleroma, Pleroma.Web.Endpoint, diff --git a/lib/pleroma/formatter.ex b/lib/pleroma/formatter.ex index 21b08a62e..1756cc187 100644 --- a/lib/pleroma/formatter.ex +++ b/lib/pleroma/formatter.ex @@ -171,25 +171,8 @@ def get_custom_emoji() do @link_regex ~r/[0-9a-z+\-\.]+:[0-9a-z$-_.+!*'(),]+/ui - # IANA got a list https://www.iana.org/assignments/uri-schemes/ but - # Stuff like ipfs isn’t in it - # There is very niche stuff - @uri_schemes [ - "https://", - "http://", - "dat://", - "dweb://", - "gopher://", - "ipfs://", - "ipns://", - "irc:", - "ircs:", - "magnet:", - "mailto:", - "mumble:", - "ssb://", - "xmpp:" - ] + @uri_schemes Application.get_env(:pleroma, :uri_schemes, []) + @valid_schemes Keyword.get(@uri_schemes, :valid_schemes, []) # TODO: make it use something other than @link_regex def html_escape(text, "text/html") do @@ -207,14 +190,10 @@ def html_escape(text, "text/plain") do @doc "changes scheme:... urls to html links" def add_links({subs, text}) do - additionnal_schemes = - Application.get_env(:pleroma, :uri_schemes, []) - |> Keyword.get(:additionnal_schemes, []) - links = text |> String.split([" ", "\t", "
"]) - |> Enum.filter(fn word -> String.starts_with?(word, @uri_schemes ++ additionnal_schemes) end) + |> Enum.filter(fn word -> String.starts_with?(word, @valid_schemes) end) |> Enum.filter(fn word -> Regex.match?(@link_regex, word) end) |> Enum.map(fn url -> {Ecto.UUID.generate(), url} end) |> Enum.sort_by(fn {_, url} -> -String.length(url) end) diff --git a/lib/pleroma/html.ex b/lib/pleroma/html.ex index cf18f070c..fdc5e7dab 100644 --- a/lib/pleroma/html.ex +++ b/lib/pleroma/html.ex @@ -36,10 +36,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do paragraphs, breaks and links are allowed through the filter. """ + @markup Application.get_env(:pleroma, :markup) + @uri_schemes Application.get_env(:pleroma, :uri_schemes, []) + @valid_schemes Keyword.get(@uri_schemes, :valid_schemes, []) + require HtmlSanitizeEx.Scrubber.Meta alias HtmlSanitizeEx.Scrubber.Meta - @valid_schemes ["http", "https"] + alias Pleroma.HTML Meta.remove_cdata_sections_before_scrub() Meta.strip_comments() @@ -56,11 +60,11 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do Meta.allow_tag_with_these_attributes("span", []) # allow inline images for custom emoji - @markup Application.get_env(:pleroma, :markup) @allow_inline_images Keyword.get(@markup, :allow_inline_images) if @allow_inline_images do - Meta.allow_tag_with_uri_attributes("img", ["src"], @valid_schemes) + # restrict img tags to http/https only, because of MediaProxy. + Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"]) Meta.allow_tag_with_these_attributes("img", [ "width", @@ -79,7 +83,11 @@ defmodule Pleroma.HTML.Scrubber.Default do require HtmlSanitizeEx.Scrubber.Meta alias HtmlSanitizeEx.Scrubber.Meta - @valid_schemes ["http", "https"] + alias Pleroma.HTML + + @markup Application.get_env(:pleroma, :markup) + @uri_schemes Application.get_env(:pleroma, :uri_schemes, []) + @valid_schemes Keyword.get(@uri_schemes, :valid_schemes, []) Meta.remove_cdata_sections_before_scrub() Meta.strip_comments() @@ -103,11 +111,11 @@ defmodule Pleroma.HTML.Scrubber.Default do Meta.allow_tag_with_these_attributes("u", []) Meta.allow_tag_with_these_attributes("ul", []) - @markup Application.get_env(:pleroma, :markup) @allow_inline_images Keyword.get(@markup, :allow_inline_images) if @allow_inline_images do - Meta.allow_tag_with_uri_attributes("img", ["src"], @valid_schemes) + # restrict img tags to http/https only, because of MediaProxy. + Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"]) Meta.allow_tag_with_these_attributes("img", [ "width",