FediMovies/fedimovies
1
1
Fork 0
Code Issues 3 Pull requests Projects Releases Packages Activity

Remove target="_blank" and add rel="noopener" during HTML cleaning

Browse source
This commit is contained in:
silverpill 2022-10-09 13:04:34 +00:00
parent 617ca19950
commit 0a62fdac2b
2 changed files with 8 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/activitypub/handlers/create_note.rs
View file

@ -76,7 +76,7 @@ pub fn get_note_content(object: &Object) -> Result<String, ValidationError> {
let object_url = parse_object_url(value) let object_url = parse_object_url(value)
.map_err(|_| ValidationError("invalid object URL"))?; .map_err(|_| ValidationError("invalid object URL"))?;
content += &format!( content += &format!(
r#"<br><p><a href="{0}" target="_blank" rel="noopener">{0}</a></p>"#, r#"<br><p><a href="{0}">{0}</a></p>"#,
object_url, object_url,
); );
}; };
@ -423,7 +423,7 @@ mod tests {
let content = get_note_content(&object).unwrap(); let content = get_note_content(&object).unwrap();
assert_eq!( assert_eq!(
content, content,
r#"test-content<br><p><a href="https://example.org/xyz" target="_blank" rel="noopener">https://example.org/xyz</a></p>"#, r#"test-content<br><p><a href="https://example.org/xyz" rel="noopener">https://example.org/xyz</a></p>"#,
); );
} }

11
src/utils/html.rs
View file

@ -6,8 +6,8 @@ use ammonia::Builder;
pub fn clean_html(unsafe_html: &str) -> String { pub fn clean_html(unsafe_html: &str) -> String {
let safe_html = Builder::default() let safe_html = Builder::default()
.add_generic_attributes(&["class"]) .add_generic_attributes(&["class"])
.add_tag_attributes("a", &["rel", "target"]) // Always add rel="noopener"
.link_rel(None) .link_rel(Some("noopener"))
.clean(unsafe_html) .clean(unsafe_html)
.to_string(); .to_string();
safe_html safe_html
@ -21,6 +21,7 @@ pub fn clean_html_strict(
HashSet::from_iter(allowed_tags.iter().copied()); HashSet::from_iter(allowed_tags.iter().copied());
let safe_html = Builder::default() let safe_html = Builder::default()
.tags(allowed_tags) .tags(allowed_tags)
.link_rel(Some("noopener"))
.clean(unsafe_html) .clean(unsafe_html)
.to_string(); .to_string();
safe_html safe_html
@ -41,14 +42,14 @@ mod tests {
fn test_clean_html() { fn test_clean_html() {
let unsafe_html = r#"<p><span class="h-card"><a href="https://example.com/user" class="u-url mention" rel="ugc">@<span>user</span></a></span> test</p>"#; let unsafe_html = r#"<p><span class="h-card"><a href="https://example.com/user" class="u-url mention" rel="ugc">@<span>user</span></a></span> test</p>"#;
let safe_html = clean_html(unsafe_html); let safe_html = clean_html(unsafe_html);
assert_eq!(safe_html, r#"<p><span class="h-card"><a href="https://example.com/user" class="u-url mention" rel="ugc">@<span>user</span></a></span> test</p>"#); assert_eq!(safe_html, r#"<p><span class="h-card"><a href="https://example.com/user" class="u-url mention" rel="noopener">@<span>user</span></a></span> test</p>"#);
} }
#[test] #[test]
fn test_clean_html_strict() { fn test_clean_html_strict() {
let unsafe_html = r#"<p>test <b>bold</b><script>dangerous</script> with <a href="https://example.com">link</a> and <code>code</code></p>"#; let unsafe_html = r#"<p>test <b>bold</b><script>dangerous</script> with <a href="https://example.com" target="_blank" rel="noopener">link</a> and <code>code</code></p>"#;
let safe_html = clean_html_strict(unsafe_html, &["a", "br", "code"]); let safe_html = clean_html_strict(unsafe_html, &["a", "br", "code"]);
assert_eq!(safe_html, r#"test bold with <a href="https://example.com" rel="noopener noreferrer">link</a> and <code>code</code>"#); assert_eq!(safe_html, r#"test bold with <a href="https://example.com" rel="noopener">link</a> and <code>code</code>"#);
} }
#[test] #[test]