Whitelist allowed classes for federated statuses (#3810)

* Whitelist allowed classes for federated statuses Allowed classes are currently: - Any microformats class (h/p/u/dt/e-*) - the classes mention, hashtag, ellipses and invisible. this last one is somewhat suspect, but Mastodon currently uses it to render hidden link text. resolved #3790 * Fix code style
2017-06-17 14:26:05 -04:00 · 2017-06-17 14:26:05 -04:00 · 94d0e012de
commit 94d0e012de
parent 8fd931dc12
2 changed files with 28 additions and 1 deletions
--- a/spec/lib/formatter_spec.rb
+++ b/spec/lib/formatter_spec.rb
@ -204,6 +204,14 @@ RSpec.describe Formatter do
        is_expected.to_not include '<script>alert("Hello")</script>'
      end
    end
+
+    context 'contains malicious classes' do
+      let(:text) { '<span class="status__content__spoiler-link">Show more</span>' }
+
+      it 'strips malicious classes' do
+        is_expected.to_not include 'status__content__spoiler-link'
+      end
+    end
  end

  describe '#plaintext' do