kopia lustrzana https://github.com/cloudflare/wildebeest
fix sanitize Actor summary instead of content & testing
rodzic
b6e98134a0
commit
ade9e669ab
|
@ -43,32 +43,32 @@ export async function get(url: string | URL): Promise<Actor> {
|
|||
|
||||
const data = await res.json<any>()
|
||||
const actor: Actor = { ...data }
|
||||
actor.id = new URL(data.id)
|
||||
actor.id = new URL(actor.id)
|
||||
|
||||
if (data.content) {
|
||||
actor.content = await sanitizeContent(data.content)
|
||||
if (actor.summary) {
|
||||
actor.summary = await sanitizeContent(actor.summary)
|
||||
}
|
||||
if (data.name) {
|
||||
actor.name = await getTextContent(data.name)
|
||||
if (actor.name) {
|
||||
actor.name = await getTextContent(actor.name)
|
||||
}
|
||||
if (data.preferredUsername) {
|
||||
actor.preferredUsername = await getTextContent(data.preferredUsername)
|
||||
if (actor.preferredUsername) {
|
||||
actor.preferredUsername = await getTextContent(actor.preferredUsername)
|
||||
}
|
||||
|
||||
// This is mostly for testing where for convenience not all values
|
||||
// are provided.
|
||||
// TODO: eventually clean that to better match production.
|
||||
if (data.inbox !== undefined) {
|
||||
actor.inbox = new URL(data.inbox)
|
||||
if (actor.inbox !== undefined) {
|
||||
actor.inbox = new URL(actor.inbox)
|
||||
}
|
||||
if (data.following !== undefined) {
|
||||
actor.following = new URL(data.following)
|
||||
if (actor.following !== undefined) {
|
||||
actor.following = new URL(actor.following)
|
||||
}
|
||||
if (data.followers !== undefined) {
|
||||
actor.followers = new URL(data.followers)
|
||||
if (actor.followers !== undefined) {
|
||||
actor.followers = new URL(actor.followers)
|
||||
}
|
||||
if (data.outbox !== undefined) {
|
||||
actor.outbox = new URL(data.outbox)
|
||||
if (actor.outbox !== undefined) {
|
||||
actor.outbox = new URL(actor.outbox)
|
||||
}
|
||||
|
||||
return actor
|
||||
|
|
|
@ -22,6 +22,7 @@ const vapidKeys = {} as JWK
|
|||
const domain = 'cloudflare.com'
|
||||
|
||||
describe('ActivityPub', () => {
|
||||
describe('Actors', () => {
|
||||
test('fetch non-existant user by id', async () => {
|
||||
const db = await makeDB()
|
||||
|
||||
|
@ -61,6 +62,29 @@ describe('ActivityPub', () => {
|
|||
assert.equal(data.publicKey.publicKeyPem, pubKey)
|
||||
})
|
||||
|
||||
test('sanitize Actor properties', async () => {
|
||||
globalThis.fetch = async (input: RequestInfo) => {
|
||||
if (input === 'https://example.com/actor') {
|
||||
return new Response(
|
||||
JSON.stringify({
|
||||
id: 'https://example.com/actor',
|
||||
type: 'Person',
|
||||
summary: "it's me, Mario. <script>alert(1)</script>",
|
||||
name: 'hi<br />hey',
|
||||
preferredUsername: 'sven <script>alert(1)</script>',
|
||||
})
|
||||
)
|
||||
}
|
||||
throw new Error(`unexpected request to "${input}"`)
|
||||
}
|
||||
|
||||
const actor = await actors.get('https://example.com/actor')
|
||||
assert.equal(actor.summary, "it's me, Mario. <p>alert(1)</p>")
|
||||
assert.equal(actor.name, 'hi hey')
|
||||
assert.equal(actor.preferredUsername, 'sven alert(1)')
|
||||
})
|
||||
})
|
||||
|
||||
describe('Outbox', () => {
|
||||
test('return outbox', async () => {
|
||||
const db = await makeDB()
|
||||
|
|
Ładowanie…
Reference in New Issue