From 4e14cabe70b28c4740bf122a611c96540adf4493 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Tue, 23 Apr 2019 17:58:46 -0600 Subject: [PATCH] Update html purifier config --- config/pixelfed.php | 4 ++++ config/purify.php | 22 +++++++++++++++++++++- tests/Unit/PurifierTest.php | 6 +++++- 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/config/pixelfed.php b/config/pixelfed.php index 90f85d5e..fcd67ee6 100644 --- a/config/pixelfed.php +++ b/config/pixelfed.php @@ -278,4 +278,8 @@ return [ ], 'oauth_enabled' => env('OAUTH_ENABLED', false), + + 'sanitizer' => [ + 'strict_mode' => env('SANITIZER_STRICT', true) + ], ]; diff --git a/config/purify.php b/config/purify.php index 5c09c28c..409555d6 100644 --- a/config/purify.php +++ b/config/purify.php @@ -67,7 +67,10 @@ return [ | */ - 'HTML.Allowed' => 'a[href|title|rel],p,strong,em,i,u,h1,h2,h3,h4,h5,ul,ol,li,br', + 'HTML.Allowed' => env('SANITIZER_STRICT', true) ? + 'a[href|title|rel],p,span,br' : + 'a[href|title|rel],p,span,strong,em,i,h1,h2,h3,h4,h5,ul,ol,li,br', + /* |-------------------------------------------------------------------------- @@ -136,6 +139,23 @@ return [ 'nofollow' ], + 'HTML.TargetBlank' => true, + + 'HTML.Nofollow' => true, + + 'URI.DefaultScheme' => 'https', + + 'URI.DisableExternalResources' => true, + + 'URI.DisableResources' => true, + + 'URI.AllowedSchemes' => [ + 'http' => true, + 'https' => true, + ], + + 'URI.HostBlacklist' => config('costar.enabled') ? config('costar.domain.block') : [], + ], ]; diff --git a/tests/Unit/PurifierTest.php b/tests/Unit/PurifierTest.php index b6852c36..844467f2 100644 --- a/tests/Unit/PurifierTest.php +++ b/tests/Unit/PurifierTest.php @@ -13,11 +13,15 @@ class PurifierTest extends TestCase public function puckTest() { $actual = Purify::clean("catgirl spinning around in the interblag"); - $expected = 'catgirl spinning around in the interblag'; + $expected = 'catgirl spinning around in the interblag'; $this->assertEquals($expected, $actual); $actual = Purify::clean("

catgirl spinning around in the interblag

"); $expected = '

catgirl spinning around in the interblag

'; $this->assertEquals($expected, $actual); + + $actual = Purify::clean('pixelfed'); + $expected = 'pixelfed'; + $this->assertEquals($expected, $actual); } }