diff options
| author |  tobi <31960611+tsmethurst@users.noreply.github.com> | 2024-03-04 11:46:59 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2024-03-04 11:46:59 +0100 |
| commit | f487fc5d4be9175db571b5a573ea5d1f348f014a (patch) | |
| tree | 87ac5031ef4a03145cc29f3c19275f8717eda944 /internal/ap/normalize_test.go | |
| parent | [docs] Update HTTP signature docs a bit (#2721) (diff) | |
| download | gotosocial-f487fc5d4be9175db571b5a573ea5d1f348f014a.tar.xz | |
[bugfix] Sanitize incoming PropertyValue fields (#2722)v0.14.0-rc3
Diffstat (limited to 'internal/ap/normalize_test.go')
| -rw-r--r-- | internal/ap/normalize_test.go | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/internal/ap/normalize_test.go b/internal/ap/normalize_test.go index 33b1f6ea6..3e4dc86f5 100644 --- a/internal/ap/normalize_test.go +++ b/internal/ap/normalize_test.go @@ -177,6 +177,23 @@ func (suite *NormalizeTestSuite) getAccountable() (vocab.ActivityStreamsPerson, "@context": "https://www.w3.org/ns/activitystreams", "id": "https://example.org/users/someone", "summary": "about: I'm a #Barbie #girl in a #Barbie #world\nLife in plastic, it's fantastic\nYou can brush my hair, undress me everywhere\nImagination, life is your creation\nI'm a blonde bimbo girl\nIn a fantasy world\nDress me up, make it tight\nI'm your dolly\nYou're my doll, rock and roll\nFeel the glamour in pink\nKiss me here, touch me there\nHanky panky", + "attachment": [ + { + "name": "<strong>cheeky</strong>", + "type": "PropertyValue", + "value": "<script>alert(\"teehee!\")</script>" + }, + { + "name": "buy me coffee?", + "type": "PropertyValue", + "value": "<a href=\"https://example.org/some_link_to_my_ko_fi\">Right here!</a>" + }, + { + "name": "hello", + "type": "PropertyValue", + "value": "world" + } + ], "type": "Person" }`) @@ -405,6 +422,38 @@ Kiss me here, touch me there Hanky panky`, ap.ExtractSummary(accountable)) } +func (suite *NormalizeTestSuite) TestNormalizeAccountableFields() { + accountable, rawAccount := suite.getAccountable() + fields := ap.ExtractFields(accountable) + + // Dodgy field. + suite.Equal(`<strong>cheeky</strong>`, fields[0].Name) + suite.Equal(`<script>alert("teehee!")</script>`, fields[0].Value) + + // More or less OK field. + suite.Equal(`buy me coffee?`, fields[1].Name) + suite.Equal(`<a href="https://example.org/some_link_to_my_ko_fi">Right here!</a>`, fields[1].Value) + + // Fine field. + suite.Equal(`hello`, fields[2].Name) + suite.Equal(`world`, fields[2].Value) + + // Normalize 'em. + ap.NormalizeIncomingFields(accountable, rawAccount) + + // Dodgy field should be removed. + fields = ap.ExtractFields(accountable) + suite.Len(fields, 2) + + // More or less OK field is now very OK. + suite.Equal(`buy me coffee?`, fields[0].Name) + suite.Equal(`<a href="https://example.org/some_link_to_my_ko_fi" rel="nofollow noreferrer noopener" target="_blank">Right here!</a>`, fields[0].Value) + + // Fine field continues to be fine. + suite.Equal(`hello`, fields[1].Name) + suite.Equal(`world`, fields[1].Value) +} + func (suite *NormalizeTestSuite) TestNormalizeStatusableSummary() { statusable, rawAccount := suite.getStatusableWithWeirdSummaryAndName() suite.Equal(`warning: #WEIRD%20%23SUMMARY%20;;;;a;;a;asv%20%20%20%20khop8273987(*%5E&%5E)`, ap.ExtractSummary(statusable)) |