normalise markup by default (#316)

why was this _not_ default?

honestly i'm surprised pleroma hasn't exploded yet

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/316
This commit is contained in:
floatingghost 2022-11-26 21:06:20 +00:00
parent e3085c495c
commit 98a21debf9
5 changed files with 9 additions and 3 deletions

View file

@ -13,6 +13,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## Changed ## Changed
- MastoAPI: Accept BooleanLike input on `/api/v1/accounts/:id/follow` (fixes follows with mastodon.py) - MastoAPI: Accept BooleanLike input on `/api/v1/accounts/:id/follow` (fixes follows with mastodon.py)
- Relays from akkoma are now off by default - Relays from akkoma are now off by default
- NormalizeMarkup MRF is now on by default
## 2022.11 ## 2022.11

View file

@ -120,6 +120,8 @@ To add configuration to your config file, you can copy it from the base config.
* `Pleroma.Web.ActivityPub.MRF.FollowBotPolicy`: Automatically follows newly discovered users from the specified bot account. Local accounts, locked accounts, and users with "#nobot" in their bio are respected and excluded from being followed. * `Pleroma.Web.ActivityPub.MRF.FollowBotPolicy`: Automatically follows newly discovered users from the specified bot account. Local accounts, locked accounts, and users with "#nobot" in their bio are respected and excluded from being followed.
* `Pleroma.Web.ActivityPub.MRF.AntiFollowbotPolicy`: Drops follow requests from followbots. Users can still allow bots to follow them by first following the bot. * `Pleroma.Web.ActivityPub.MRF.AntiFollowbotPolicy`: Drops follow requests from followbots. Users can still allow bots to follow them by first following the bot.
* `Pleroma.Web.ActivityPub.MRF.KeywordPolicy`: Rejects or removes from the federated timeline or replaces keywords. (See [`:mrf_keyword`](#mrf_keyword)). * `Pleroma.Web.ActivityPub.MRF.KeywordPolicy`: Rejects or removes from the federated timeline or replaces keywords. (See [`:mrf_keyword`](#mrf_keyword)).
* `Pleroma.Web.ActivityPub.MRF.NormalizeMarkup`: Pass inbound HTML through a scrubber to make sure it doesn't have anything unusual in it. On by default, cannot be turned off.
* `Pleroma.Web.ActivityPub.MRF.InlineQuotePolicy`: Append a link to a post that quotes another post with the link to the quoted post, to ensure that software that does not understand quotes can have full context. On by default, cannot be turned off.
* `transparency`: Make the content of your Message Rewrite Facility settings public (via nodeinfo). * `transparency`: Make the content of your Message Rewrite Facility settings public (via nodeinfo).
* `transparency_exclusions`: Exclude specific instance names from MRF transparency. The use of the exclusions feature will be disclosed in nodeinfo as a boolean value. * `transparency_exclusions`: Exclude specific instance names from MRF transparency. The use of the exclusions feature will be disclosed in nodeinfo as a boolean value.
* `transparency_obfuscate_domains`: Show domains with `*` in the middle, to censor them if needed. For example, `ridingho.me` will show as `rid*****.me` * `transparency_obfuscate_domains`: Show domains with `*` in the middle, to censor them if needed. For example, `ridingho.me` will show as `rid*****.me`

View file

@ -140,7 +140,8 @@ defmodule Pleroma.Web.ActivityPub.MRF do
|> get_policies() |> get_policies()
|> Enum.concat([ |> Enum.concat([
Pleroma.Web.ActivityPub.MRF.HashtagPolicy, Pleroma.Web.ActivityPub.MRF.HashtagPolicy,
Pleroma.Web.ActivityPub.MRF.InlineQuotePolicy Pleroma.Web.ActivityPub.MRF.InlineQuotePolicy,
Pleroma.Web.ActivityPub.MRF.NormalizeMarkup
]) ])
|> Enum.uniq() |> Enum.uniq()
end end

View file

@ -15,6 +15,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do
this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a> this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
this is an image: <img src="http://example.com/image.jpg"><br /> this is an image: <img src="http://example.com/image.jpg"><br />
<script>alert('hacked')</script> <script>alert('hacked')</script>
<div class="wow no classes here">mean</div>
""" """
@expected """ @expected """
@ -25,6 +26,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkupTest do
this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a> this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a>
this is an image: <img src="http://example.com/image.jpg"/><br/> this is an image: <img src="http://example.com/image.jpg"/><br/>
alert(&#39;hacked&#39;) alert(&#39;hacked&#39;)
mean
""" """
test "it filter html tags" do test "it filter html tags" do

View file

@ -77,7 +77,7 @@ defmodule Pleroma.Web.ActivityPub.MRFTest do
clear_config([:mrf, :policies], [Pleroma.Web.ActivityPub.MRF.NoOpPolicy]) clear_config([:mrf, :policies], [Pleroma.Web.ActivityPub.MRF.NoOpPolicy])
expected = %{ expected = %{
mrf_policies: ["NoOpPolicy", "HashtagPolicy", "InlineQuotePolicy"], mrf_policies: ["NoOpPolicy", "HashtagPolicy", "InlineQuotePolicy", "NormalizeMarkup"],
mrf_hashtag: %{ mrf_hashtag: %{
federated_timeline_removal: [], federated_timeline_removal: [],
reject: [], reject: [],
@ -93,7 +93,7 @@ defmodule Pleroma.Web.ActivityPub.MRFTest do
clear_config([:mrf, :policies], [MRFModuleMock]) clear_config([:mrf, :policies], [MRFModuleMock])
expected = %{ expected = %{
mrf_policies: ["MRFModuleMock", "HashtagPolicy", "InlineQuotePolicy"], mrf_policies: ["MRFModuleMock", "HashtagPolicy", "InlineQuotePolicy", "NormalizeMarkup"],
mrf_module_mock: "some config data", mrf_module_mock: "some config data",
mrf_hashtag: %{ mrf_hashtag: %{
federated_timeline_removal: [], federated_timeline_removal: [],