feat(api): ✨ Allow more HTML tags in Markdown

2026-03-13 22:09:16 +01:00 · 2024-05-11 15:27:19 -10:00 · 2024-05-11 15:27:19 -10:00 · b979daa39a
commit b979daa39a
parent 4ce5dfeae3
3 changed files with 100 additions and 9 deletions
--- a/server/api/api/v1/accounts/update_credentials/index.ts
+++ b/server/api/api/v1/accounts/update_credentials/index.ts
@ -1,7 +1,7 @@
 import { applyConfig, auth, handleZodError, qs } from "@api";
 import { zValidator } from "@hono/zod-validator";
 import { errorResponse, jsonResponse } from "@response";
-import { sanitizeHtml, sanitizedHtmlStrip } from "@sanitization";
+import { sanitizedHtmlStrip } from "@sanitization";
 import { config } from "config-manager";
 import { and, eq } from "drizzle-orm";
 import type { Hono } from "hono";
@ -224,17 +224,25 @@ export default (app: Hono) =>
                self.source.fields = [];
                for (const field of fields_attributes) {
                    // Can be Markdown or plaintext, also has emojis
-                    const parsedName = await contentToHtml({
-                        "text/markdown": {
-                            content: field.name,
+                    const parsedName = await contentToHtml(
+                        {
+                            "text/markdown": {
+                                content: field.name,
+                            },
                        },
-                    });
+                        undefined,
+                        true,
+                    );

-                    const parsedValue = await contentToHtml({
-                        "text/markdown": {
-                            content: field.value,
+                    const parsedValue = await contentToHtml(
+                        {
+                            "text/markdown": {
+                                content: field.value,
+                            },
                        },
-                    });
+                        undefined,
+                        true,
+                    );

                    // Parse emojis
                    const nameEmojis = await parseEmojis(parsedName);
--- a/server/api/api/v1/statuses/index.test.ts
+++ b/server/api/api/v1/statuses/index.test.ts
@ -394,5 +394,37 @@ describe(meta.route, () => {
                "uwu &#x3C;script&#x3E;alert(&#x27;Hello, world!&#x27;);&#x3C;/script&#x3E;",
            );
        });
+
+        test("should rewrite all image and video src to go through proxy", async () => {
+            const response = await sendTestRequest(
+                new Request(new URL(meta.route, config.http.base_url), {
+                    method: "POST",
+                    headers: {
+                        Authorization: `Bearer ${tokens[0].accessToken}`,
+                    },
+                    body: new URLSearchParams({
+                        status: "<img src='https://example.com/image.jpg'> <video src='https://example.com/video.mp4'> Test!",
+                        federate: "false",
+                    }),
+                }),
+            );
+
+            expect(response.status).toBe(200);
+            expect(response.headers.get("content-type")).toBe(
+                "application/json",
+            );
+
+            const object = (await response.json()) as APIStatus;
+            // Proxy url is base_url/media/proxy/<base64url encoded url>
+            expect(object.content).toBe(
+                `<p><img src="${config.http.base_url}/media/proxy/${Buffer.from(
+                    "https://example.com/image.jpg",
+                ).toString("base64url")}"> <video src="${
+                    config.http.base_url
+                }/media/proxy/${Buffer.from(
+                    "https://example.com/video.mp4",
+                ).toString("base64url")}"> Test!</p>`,
+            );
+        });
    });
 });