Correctly sanitize MathML out of post content (#27107)

2024-11-28 12:02:34 +00:00 · 2024-11-28 12:02:34 +00:00 · 7f4858b339
commit 7f4858b339
parent 48f3ed738f
2 changed files with 59 additions and 0 deletions
--- a/lib/sanitize_ext/sanitize_config.rb
+++ b/lib/sanitize_ext/sanitize_config.rb
@ -64,6 +64,44 @@ class Sanitize
      current_node.wrap('<p></p>')
    end

+    # We assume that incomming <math> nodes are of the form
+    # <math><semantics>...<annotation>...</annotation></semantics></math>
+    # according to the [FEP]. We try to grab the most relevant plain-text
+    # annotation from the semantics node, and use it to display a representation
+    # of the mathematics.
+    #
+    # FEP: https://codeberg.org/fediverse/fep/src/branch/main/fep/dc88/fep-dc88.md
+    MATH_TRANSFORMER = lambda do |env|
+      math = env[:node]
+      return if env[:is_allowlisted]
+      return unless math.element? && env[:node_name] == 'math'
+
+      semantics = math.element_children[0]
+      return if semantics.nil? || semantics.name != 'semantics'
+
+      # next, we find the plain-text description
+      is_annotation_with_encoding = lambda do |encoding, node|
+        return false unless node.name == 'annotation'
+
+        node.attributes['encoding'].value == encoding
+      end
+
+      annotation = semantics.children.find(&is_annotation_with_encoding.curry['application/x-tex'])
+      if annotation
+        text = if math.attributes['display']&.value == 'block'
+                 "$$#{annotation.text}$$"
+               else
+                 "$#{annotation.text}$"
+               end
+        math.replace(math.document.create_text_node(text))
+        return
+      end
+      # Don't bother surrounding 'text/plain' annotations with dollar signs,
+      # since it isn't LaTeX
+      annotation = semantics.children.find(&is_annotation_with_encoding.curry['text/plain'])
+      math.replace(math.document.create_text_node(annotation.text)) unless annotation.nil?
+    end
+
    MASTODON_STRICT = freeze_config(
      elements: %w(p br span a del s pre blockquote code b strong u i em ul ol li ruby rt rp),

@ -86,6 +124,7 @@ class Sanitize
      transformers: [
        ALLOWED_CLASS_TRANSFORMER,
        TRANSLATE_TRANSFORMER,
+        MATH_TRANSFORMER,
        UNSUPPORTED_ELEMENTS_TRANSFORMER,
        UNSUPPORTED_HREF_TRANSFORMER,
      ]