diff --git a/priv/scrubbers/default.ex b/priv/scrubbers/default.ex
index 79fa6dcdf..e10e3ec87 100644
--- a/priv/scrubbers/default.ex
+++ b/priv/scrubbers/default.ex
@@ -68,13 +68,14 @@ defmodule Pleroma.HTML.Scrubber.Default do
@allow_inline_images Pleroma.Config.get([:markup, :allow_inline_images])
if @allow_inline_images do
+ Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"])
+
# restrict img tags to http/https only, because of MediaProxy.
Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
Meta.allow_tag_with_these_attributes(:img, [
"width",
"height",
- "class",
"title",
"alt"
])
diff --git a/priv/scrubbers/twitter_text.ex b/priv/scrubbers/twitter_text.ex
index a121a8209..6e23b3efb 100644
--- a/priv/scrubbers/twitter_text.ex
+++ b/priv/scrubbers/twitter_text.ex
@@ -45,13 +45,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
# allow inline images for custom emoji
if Pleroma.Config.get([:markup, :allow_inline_images]) do
+ Meta.allow_tag_with_this_attribute_values(:img, "class", ["emoji"])
+
# restrict img tags to http/https only, because of MediaProxy.
Meta.allow_tag_with_uri_attributes(:img, ["src"], ["http", "https"])
Meta.allow_tag_with_these_attributes(:img, [
"width",
"height",
- "class",
"title",
"alt"
])
diff --git a/test/pleroma/html_test.exs b/test/pleroma/html_test.exs
index 970baf63b..b99689903 100644
--- a/test/pleroma/html_test.exs
+++ b/test/pleroma/html_test.exs
@@ -17,6 +17,7 @@ defmodule Pleroma.HTMLTest do
this is a link with allowed "rel" attribute: example.com
this is a link with not allowed "rel" attribute: example.com
this is an image: 
+ this is an inline emoji:
"""
@@ -24,6 +25,10 @@ defmodule Pleroma.HTMLTest do
"""
+ @html_stillimage_sample """
+
+ """
+
@html_span_class_sample """
hi
"""
@@ -45,6 +50,7 @@ defmodule Pleroma.HTMLTest do
this is a link with allowed "rel" attribute: example.com
this is a link with not allowed "rel" attribute: example.com
this is an image:
+ this is an inline emoji:
alert('hacked')
"""
@@ -67,6 +73,7 @@ defmodule Pleroma.HTMLTest do
this is a link with allowed "rel" attribute: example.com
this is a link with not allowed "rel" attribute: example.com
this is an image:
+ this is an inline emoji:
alert('hacked')
"""
@@ -90,6 +97,15 @@ defmodule Pleroma.HTMLTest do
HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.TwitterText)
end
+ test "does not allow images with invalid classes" do
+ expected = """
+
+ """
+
+ assert expected ==
+ HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
+ end
+
test "does allow microformats" do
expected = """
@foo
@@ -121,6 +137,7 @@ defmodule Pleroma.HTMLTest do
this is a link with allowed "rel" attribute: example.com
this is a link with not allowed "rel" attribute: example.com
this is an image:
+ this is an inline emoji:
alert('hacked')
"""
@@ -143,6 +160,15 @@ defmodule Pleroma.HTMLTest do
assert expected == HTML.filter_tags(@html_span_class_sample, Pleroma.HTML.Scrubber.Default)
end
+ test "does not allow images with invalid classes" do
+ expected = """
+
+ """
+
+ assert expected ==
+ HTML.filter_tags(@html_stillimage_sample, Pleroma.HTML.Scrubber.TwitterText)
+ end
+
test "does allow microformats" do
expected = """
@foo