diff --git a/config/pixelfed.php b/config/pixelfed.php index 90f85d5e1..fcd67ee6e 100644 --- a/config/pixelfed.php +++ b/config/pixelfed.php @@ -278,4 +278,8 @@ return [ ], 'oauth_enabled' => env('OAUTH_ENABLED', false), + + 'sanitizer' => [ + 'strict_mode' => env('SANITIZER_STRICT', true) + ], ]; diff --git a/config/purify.php b/config/purify.php index 5c09c28c6..409555d65 100644 --- a/config/purify.php +++ b/config/purify.php @@ -67,7 +67,10 @@ return [ | */ - 'HTML.Allowed' => 'a[href|title|rel],p,strong,em,i,u,h1,h2,h3,h4,h5,ul,ol,li,br', + 'HTML.Allowed' => env('SANITIZER_STRICT', true) ? + 'a[href|title|rel],p,span,br' : + 'a[href|title|rel],p,span,strong,em,i,h1,h2,h3,h4,h5,ul,ol,li,br', + /* |-------------------------------------------------------------------------- @@ -136,6 +139,23 @@ return [ 'nofollow' ], + 'HTML.TargetBlank' => true, + + 'HTML.Nofollow' => true, + + 'URI.DefaultScheme' => 'https', + + 'URI.DisableExternalResources' => true, + + 'URI.DisableResources' => true, + + 'URI.AllowedSchemes' => [ + 'http' => true, + 'https' => true, + ], + + 'URI.HostBlacklist' => config('costar.enabled') ? config('costar.domain.block') : [], + ], ]; diff --git a/tests/Unit/PurifierTest.php b/tests/Unit/PurifierTest.php index b6852c369..844467f2a 100644 --- a/tests/Unit/PurifierTest.php +++ b/tests/Unit/PurifierTest.php @@ -13,11 +13,15 @@ class PurifierTest extends TestCase public function puckTest() { $actual = Purify::clean("catgirl spinning around in the interblag"); - $expected = 'catgirl spinning around in the interblag'; + $expected = 'catgirl spinning around in the interblag'; $this->assertEquals($expected, $actual); $actual = Purify::clean("
catgirl spinning around in the interblag
"); $expected = 'catgirl spinning around in the interblag
'; $this->assertEquals($expected, $actual); + + $actual = Purify::clean('pixelfed'); + $expected = 'pixelfed'; + $this->assertEquals($expected, $actual); } }