mastodon/app/lib/sanitize_config.rb

# frozen_string_literal: true

class Sanitize
  module Config
    HTTP_PROTOCOLS ||= ['http', 'https', :relative].freeze

    CLASS_WHITELIST_TRANSFORMER = lambda do |env|
      node = env[:node]
      class_list = node['class']&.split(/[\t\n\f\r ]/)

      return unless class_list

      class_list.keep_if do |e|
        next true if e =~ /^(h|p|u|dt|e)-/ # microformats classes
        next true if e =~ /^(mention|hashtag)$/ # semantic classes
        next true if e =~ /^(ellipsis|invisible)$/ # link formatting classes
      end

      node['class'] = class_list.join(' ')
    end

    MASTODON_STRICT ||= freeze_config(
      elements: %w(p br span a),

      attributes: {
        'a'    => %w(href rel class),
        'span' => %w(class),
      },

      add_attributes: {
        'a' => {
          'rel' => 'nofollow noopener',
          'target' => '_blank',
        },
      },

      protocols: {
        'a' => { 'href' => HTTP_PROTOCOLS },
      },

      transformers: [
        CLASS_WHITELIST_TRANSFORMER,
      ]
    )

    MASTODON_OEMBED ||= freeze_config merge(
      RELAXED,
      elements: RELAXED[:elements] + %w(audio embed iframe source video),

      attributes: merge(
        RELAXED[:attributes],
        'audio'  => %w(controls),
        'embed'  => %w(height src type width),
        'iframe' => %w(allowfullscreen frameborder height scrolling src width),
        'source' => %w(src type),
        'video'  => %w(controls height loop width),
        'div'    => [:data]
      ),

      protocols: merge(
        RELAXED[:protocols],
        'embed'  => { 'src' => HTTP_PROTOCOLS },
        'iframe' => { 'src' => HTTP_PROTOCOLS },
        'source' => { 'src' => HTTP_PROTOCOLS }
      )
    )
  end
end
OEmbed support for PreviewCard (#2337) * OEmbed support for PreviewCard * Improve ProviderDiscovery code failure treatment * Do not crawl links if there is a content warning, since those don't display a link card anyway * Reset db schema * Fresh migrate * Fix rubocop style issues Fix #1681 - return existing access token when applicable instead of creating new * Fix test * Extract http client to helper * Improve oembed controller 2017-04-27 14:42:22 +02:00			`# frozen_string_literal: true`

			`class Sanitize`
			`module Config`
			`HTTP_PROTOCOLS \|\|= ['http', 'https', :relative].freeze`

Whitelist allowed classes for federated statuses (#3810) * Whitelist allowed classes for federated statuses Allowed classes are currently: - Any microformats class (h/p/u/dt/e-) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved #3790 Fix code style 2017-06-17 14:26:05 -04:00			`CLASS_WHITELIST_TRANSFORMER = lambda do \|env\|`
			`node = env[:node]`
[!] Sanitize incoming classlist properly (#6162) * Sanitize classlist properly * Actually properly sanitize every class after the first * Improve Formatter spec to check for multiple classes and non-space whitespace 2018-01-03 03:54:08 +01:00			`class_list = node['class']&.split(/[\t\n\f\r ]/)`
Whitelist allowed classes for federated statuses (#3810) * Whitelist allowed classes for federated statuses Allowed classes are currently: - Any microformats class (h/p/u/dt/e-) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved #3790 Fix code style 2017-06-17 14:26:05 -04:00
			`return unless class_list`

			`class_list.keep_if do \|e\|`
[!] Sanitize incoming classlist properly (#6162) * Sanitize classlist properly * Actually properly sanitize every class after the first * Improve Formatter spec to check for multiple classes and non-space whitespace 2018-01-03 03:54:08 +01:00			`next true if e =~ /^(h\|p\|u\|dt\|e)-/ # microformats classes`
			`next true if e =~ /^(mention\|hashtag)$/ # semantic classes`
			`next true if e =~ /^(ellipsis\|invisible)$/ # link formatting classes`
Whitelist allowed classes for federated statuses (#3810) * Whitelist allowed classes for federated statuses Allowed classes are currently: - Any microformats class (h/p/u/dt/e-) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved #3790 Fix code style 2017-06-17 14:26:05 -04:00			`end`

			`node['class'] = class_list.join(' ')`
			`end`

OEmbed support for PreviewCard (#2337) * OEmbed support for PreviewCard * Improve ProviderDiscovery code failure treatment * Do not crawl links if there is a content warning, since those don't display a link card anyway * Reset db schema * Fresh migrate * Fix rubocop style issues Fix #1681 - return existing access token when applicable instead of creating new * Fix test * Extract http client to helper * Improve oembed controller 2017-04-27 14:42:22 +02:00			`MASTODON_STRICT \|\|= freeze_config(`
			`elements: %w(p br span a),`

			`attributes: {`
Allow "class" attribute on the "a" tag in sanitization (#3623) This preserves `<a ... class="u-url mention">` from other Mastodon instances. 2017-06-07 22:57:30 +09:00			`'a' => %w(href rel class),`
OEmbed support for PreviewCard (#2337) * OEmbed support for PreviewCard * Improve ProviderDiscovery code failure treatment * Do not crawl links if there is a content warning, since those don't display a link card anyway * Reset db schema * Fresh migrate * Fix rubocop style issues Fix #1681 - return existing access token when applicable instead of creating new * Fix test * Extract http client to helper * Improve oembed controller 2017-04-27 14:42:22 +02:00			`'span' => %w(class),`
			`},`

Add target=_blank to user note (#2622) * Add target=_blank to user note Open new window when click link from user profile in remote instance. * fix rubocop 2017-04-30 07:28:41 +09:00			`add_attributes: {`
			`'a' => {`
			`'rel' => 'nofollow noopener',`
			`'target' => '_blank',`
			`},`
			`},`

OEmbed support for PreviewCard (#2337) * OEmbed support for PreviewCard * Improve ProviderDiscovery code failure treatment * Do not crawl links if there is a content warning, since those don't display a link card anyway * Reset db schema * Fresh migrate * Fix rubocop style issues Fix #1681 - return existing access token when applicable instead of creating new * Fix test * Extract http client to helper * Improve oembed controller 2017-04-27 14:42:22 +02:00			`protocols: {`
			`'a' => { 'href' => HTTP_PROTOCOLS },`
Whitelist allowed classes for federated statuses (#3810) * Whitelist allowed classes for federated statuses Allowed classes are currently: - Any microformats class (h/p/u/dt/e-) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved #3790 Fix code style 2017-06-17 14:26:05 -04:00			`},`

			`transformers: [`
			`CLASS_WHITELIST_TRANSFORMER,`
			`]`
OEmbed support for PreviewCard (#2337) * OEmbed support for PreviewCard * Improve ProviderDiscovery code failure treatment * Do not crawl links if there is a content warning, since those don't display a link card anyway * Reset db schema * Fresh migrate * Fix rubocop style issues Fix #1681 - return existing access token when applicable instead of creating new * Fix test * Extract http client to helper * Improve oembed controller 2017-04-27 14:42:22 +02:00			`)`

			`MASTODON_OEMBED \|\|= freeze_config merge(`
			`RELAXED,`
			`elements: RELAXED[:elements] + %w(audio embed iframe source video),`

			`attributes: merge(`
			`RELAXED[:attributes],`
			`'audio' => %w(controls),`
			`'embed' => %w(height src type width),`
			`'iframe' => %w(allowfullscreen frameborder height scrolling src width),`
			`'source' => %w(src type),`
			`'video' => %w(controls height loop width),`
			`'div' => [:data]`
			`),`

			`protocols: merge(`
			`RELAXED[:protocols],`
			`'embed' => { 'src' => HTTP_PROTOCOLS },`
			`'iframe' => { 'src' => HTTP_PROTOCOLS },`
			`'source' => { 'src' => HTTP_PROTOCOLS }`
			`)`
			`)`
			`end`
			`end`