mirror of
https://github.com/superseriousbusiness/gotosocial
synced 2025-06-05 21:59:39 +02:00
[bugfix] Fix HTML escaping in instance title (#607)
* move caption sanitization -> sanitize.go * use sanitizeplaintext rather than removehtml * rename sanitizecaption to sanitizeplaintext * avoid removing html twice from statuses * unexport remoteHTML it's no longer used outside the text package so this makes it less confusing * test instance PATCH
This commit is contained in:
@@ -26,17 +26,8 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
removeHTML = `<p>Another test <span class="h-card"><a href="http://fossbros-anonymous.io/@foss_satan" class="u-url mention" rel="nofollow noreferrer noopener" target="_blank">@<span>foss_satan</span></a></span><br/><br/><a href="http://localhost:8080/tags/Hashtag" class="mention hashtag" rel="tag nofollow noreferrer noopener" target="_blank">#<span>Hashtag</span></a><br/><br/>Text</p>`
|
||||
removedHTML = `Another test @foss_satan#HashtagText`
|
||||
|
||||
sanitizeHTML = `here's some naughty html: <script>alert(ahhhh)</script> !!!`
|
||||
sanitizedHTML = `here's some naughty html: !!!`
|
||||
|
||||
withEscapedLiteral = `it\u0026amp;#39;s its it is`
|
||||
withEscapedLiteralExpected = `it\u0026amp;#39;s its it is`
|
||||
withEscaped = "it\u0026amp;#39;s its it is"
|
||||
withEscapedExpected = "it&#39;s its it is"
|
||||
|
||||
sanitizeHTML = `here's some naughty html: <script>alert(ahhhh)</script> !!!`
|
||||
sanitizedHTML = `here's some naughty html: !!!`
|
||||
sanitizeOutgoing = `<p>gotta test some fucking ''''''''' marks</p>`
|
||||
sanitizedOutgoing = `<p>gotta test some fucking ''''''''' marks</p>`
|
||||
)
|
||||
@@ -45,11 +36,6 @@ type SanitizeTestSuite struct {
|
||||
suite.Suite
|
||||
}
|
||||
|
||||
func (suite *SanitizeTestSuite) TestRemoveHTML() {
|
||||
s := text.RemoveHTML(removeHTML)
|
||||
suite.Equal(removedHTML, s)
|
||||
}
|
||||
|
||||
func (suite *SanitizeTestSuite) TestSanitizeOutgoing() {
|
||||
s := text.SanitizeHTML(sanitizeOutgoing)
|
||||
suite.Equal(sanitizedOutgoing, s)
|
||||
@@ -60,14 +46,52 @@ func (suite *SanitizeTestSuite) TestSanitizeHTML() {
|
||||
suite.Equal(sanitizedHTML, s)
|
||||
}
|
||||
|
||||
func (suite *SanitizeTestSuite) TestSanitizeWithEscapedLiteral() {
|
||||
s := text.RemoveHTML(withEscapedLiteral)
|
||||
suite.Equal(withEscapedLiteralExpected, s)
|
||||
func (suite *SanitizeTestSuite) TestSanitizeCaption1() {
|
||||
dodgyCaption := "<script>console.log('haha!')</script>this is just a normal caption ;)"
|
||||
sanitized := text.SanitizePlaintext(dodgyCaption)
|
||||
suite.Equal("this is just a normal caption ;)", sanitized)
|
||||
}
|
||||
|
||||
func (suite *SanitizeTestSuite) TestSanitizeWithEscaped() {
|
||||
s := text.RemoveHTML(withEscaped)
|
||||
suite.Equal(withEscapedExpected, s)
|
||||
func (suite *SanitizeTestSuite) TestSanitizeCaption2() {
|
||||
dodgyCaption := "<em>here's a LOUD caption</em>"
|
||||
sanitized := text.SanitizePlaintext(dodgyCaption)
|
||||
suite.Equal("here's a LOUD caption", sanitized)
|
||||
}
|
||||
|
||||
func (suite *SanitizeTestSuite) TestSanitizeCaption3() {
|
||||
dodgyCaption := ""
|
||||
sanitized := text.SanitizePlaintext(dodgyCaption)
|
||||
suite.Equal("", sanitized)
|
||||
}
|
||||
|
||||
func (suite *SanitizeTestSuite) TestSanitizeCaption4() {
|
||||
dodgyCaption := `
|
||||
|
||||
|
||||
here is
|
||||
a multi line
|
||||
caption
|
||||
with some newlines
|
||||
|
||||
|
||||
|
||||
`
|
||||
sanitized := text.SanitizePlaintext(dodgyCaption)
|
||||
suite.Equal("here is\na multi line\ncaption\nwith some newlines", sanitized)
|
||||
}
|
||||
|
||||
func (suite *SanitizeTestSuite) TestSanitizeCaption5() {
|
||||
// html-escaped: "<script>console.log('aha!')</script> hello world"
|
||||
dodgyCaption := `<script>console.log('aha!')</script> hello world`
|
||||
sanitized := text.SanitizePlaintext(dodgyCaption)
|
||||
suite.Equal("hello world", sanitized)
|
||||
}
|
||||
|
||||
func (suite *SanitizeTestSuite) TestSanitizeCaption6() {
|
||||
// html-encoded: "<script>console.log('aha!')</script> hello world"
|
||||
dodgyCaption := `<script>console.log('aha!')</script> hello world`
|
||||
sanitized := text.SanitizePlaintext(dodgyCaption)
|
||||
suite.Equal("hello world", sanitized)
|
||||
}
|
||||
|
||||
func TestSanitizeTestSuite(t *testing.T) {
|
||||
|
Reference in New Issue
Block a user