Remove target="_blank" and add rel="noopener" during HTML cleaning

This commit is contained in:
silverpill 2022-10-09 13:04:34 +00:00
parent 617ca19950
commit 0a62fdac2b
2 changed files with 8 additions and 7 deletions

View file

@ -76,7 +76,7 @@ pub fn get_note_content(object: &Object) -> Result<String, ValidationError> {
let object_url = parse_object_url(value)
.map_err(|_| ValidationError("invalid object URL"))?;
content += &format!(
r#"<br><p><a href="{0}" target="_blank" rel="noopener">{0}</a></p>"#,
r#"<br><p><a href="{0}">{0}</a></p>"#,
object_url,
);
};
@ -423,7 +423,7 @@ mod tests {
let content = get_note_content(&object).unwrap();
assert_eq!(
content,
r#"test-content<br><p><a href="https://example.org/xyz" target="_blank" rel="noopener">https://example.org/xyz</a></p>"#,
r#"test-content<br><p><a href="https://example.org/xyz" rel="noopener">https://example.org/xyz</a></p>"#,
);
}

View file

@ -6,8 +6,8 @@ use ammonia::Builder;
pub fn clean_html(unsafe_html: &str) -> String {
let safe_html = Builder::default()
.add_generic_attributes(&["class"])
.add_tag_attributes("a", &["rel", "target"])
.link_rel(None)
// Always add rel="noopener"
.link_rel(Some("noopener"))
.clean(unsafe_html)
.to_string();
safe_html
@ -21,6 +21,7 @@ pub fn clean_html_strict(
HashSet::from_iter(allowed_tags.iter().copied());
let safe_html = Builder::default()
.tags(allowed_tags)
.link_rel(Some("noopener"))
.clean(unsafe_html)
.to_string();
safe_html
@ -41,14 +42,14 @@ mod tests {
fn test_clean_html() {
let unsafe_html = r#"<p><span class="h-card"><a href="https://example.com/user" class="u-url mention" rel="ugc">@<span>user</span></a></span> test</p>"#;
let safe_html = clean_html(unsafe_html);
assert_eq!(safe_html, r#"<p><span class="h-card"><a href="https://example.com/user" class="u-url mention" rel="ugc">@<span>user</span></a></span> test</p>"#);
assert_eq!(safe_html, r#"<p><span class="h-card"><a href="https://example.com/user" class="u-url mention" rel="noopener">@<span>user</span></a></span> test</p>"#);
}
#[test]
fn test_clean_html_strict() {
let unsafe_html = r#"<p>test <b>bold</b><script>dangerous</script> with <a href="https://example.com">link</a> and <code>code</code></p>"#;
let unsafe_html = r#"<p>test <b>bold</b><script>dangerous</script> with <a href="https://example.com" target="_blank" rel="noopener">link</a> and <code>code</code></p>"#;
let safe_html = clean_html_strict(unsafe_html, &["a", "br", "code"]);
assert_eq!(safe_html, r#"test bold with <a href="https://example.com" rel="noopener noreferrer">link</a> and <code>code</code>"#);
assert_eq!(safe_html, r#"test bold with <a href="https://example.com" rel="noopener">link</a> and <code>code</code>"#);
}
#[test]