From 8f3e750530874df2a92d131e256e94dcc77260f1 Mon Sep 17 00:00:00 2001
From: "Haelwenn (lanodan) Monnier" <contact@hacktivis.me>
Date: Sun, 27 Nov 2022 03:40:21 +0100
Subject: scrubbers: Scrub img class attribute

Closes: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3790
---
 test/pleroma/html_test.exs | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'test')

diff --git a/test/pleroma/html_test.exs b/test/pleroma/html_test.exs
index 970baf63b..b99689903 100644
--- a/test/pleroma/html_test.exs
+++ b/test/pleroma/html_test.exs
@@ -17,6 +17,7 @@ defmodule Pleroma.HTMLTest do
     this is a link with allowed "rel" attribute: <a href="http://example.com/" rel="tag">example.com</a>
     this is a link with not allowed "rel" attribute: <a href="http://example.com/" rel="tag noallowed">example.com</a>
     this is an image: <img src="http://example.com/image.jpg"><br />
+    this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"><br />
     <script>alert('hacked')</script>
   """
 
@@ -24,6 +25,10 @@ defmodule Pleroma.HTMLTest do
   <img src="http://example.com/image.jpg" onerror="alert('hacked')">
   """
 
+  @html_stillimage_sample """
+  <img class="still-image" src="http://example.com/image.jpg">
+  """
+
   @html_span_class_sample """
   <span class="animate-spin">hi</span>
   """
@@ -45,6 +50,7 @@ defmodule Pleroma.HTMLTest do
         this is a link with allowed &quot;rel&quot; attribute: example.com
         this is a link with not allowed &quot;rel&quot; attribute: example.com
         this is an image: 
+        this is an inline emoji: 
         alert(&#39;hacked&#39;)
       """
 
@@ -67,6 +73,7 @@ defmodule Pleroma.HTMLTest do
         this is a link with allowed &quot;rel&quot; attribute: <a href="http://example.com/" rel="tag">example.com</a>
         this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a>
         this is an image: <img src="http://example.com/image.jpg"/><br/>
+        this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/>
         alert(&#39;hacked&#39;)
       """
 
@@ -90,6 +97,15 @@ defmodule Pleroma.HTMLTest do
                HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
     end
 
+    test "does not allow images with invalid classes" do
+      expected = """
+      <img src="http://example.com/image.jpg"/>
+      """
+
+      assert expected ==
+               HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
+    end
+
     test "does allow microformats" do
       expected = """
       <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
@@ -121,6 +137,7 @@ defmodule Pleroma.HTMLTest do
         this is a link with allowed &quot;rel&quot; attribute: <a href="http://example.com/" rel="tag">example.com</a>
         this is a link with not allowed &quot;rel&quot; attribute: <a href="http://example.com/">example.com</a>
         this is an image: <img src="http://example.com/image.jpg"/><br/>
+        this is an inline emoji: <img class="emoji" src="http://example.com/image.jpg"/><br/>
         alert(&#39;hacked&#39;)
       """
 
@@ -143,6 +160,15 @@ defmodule Pleroma.HTMLTest do
       assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
     end
 
+    test "does not allow images with invalid classes" do
+      expected = """
+      <img src="http://example.com/image.jpg"/>
+      """
+
+      assert expected ==
+               HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
+    end
+
     test "does allow microformats" do
       expected = """
       <span class="h-card"><a class="u-url mention">@<span>foo</span></a></span>
-- 
cgit v1.2.3