diff --git a/lib/pleroma/reverse_proxy.ex b/lib/pleroma/reverse_proxy.ex
index 91cf1bba3..b44f0b90a 100644
--- a/lib/pleroma/reverse_proxy.ex
+++ b/lib/pleroma/reverse_proxy.ex
@@ -251,6 +251,7 @@ defmodule Pleroma.ReverseProxy do
|> Enum.filter(fn {k, _} -> k in @keep_resp_headers end)
|> build_resp_cache_headers(opts)
|> build_resp_content_disposition_header(opts)
+ |> build_csp_headers()
|> Keyword.merge(Keyword.get(opts, :resp_headers, []))
end
@@ -316,6 +317,10 @@ defmodule Pleroma.ReverseProxy do
end
end
+ defp build_csp_headers(headers) do
+ List.keystore(headers, "content-security-policy", 0, {"content-security-policy", "sandbox"})
+ end
+
defp header_length_constraint(headers, limit) when is_integer(limit) and limit > 0 do
with {_, size} <- List.keyfind(headers, "content-length", 0),
{size, _} <- Integer.parse(size),
diff --git a/lib/pleroma/web/plugs/uploaded_media.ex b/lib/pleroma/web/plugs/uploaded_media.ex
index 8a7ff54e4..e0a862cf7 100644
--- a/lib/pleroma/web/plugs/uploaded_media.ex
+++ b/lib/pleroma/web/plugs/uploaded_media.ex
@@ -44,7 +44,7 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do
conn ->
conn
end
- |> merge_resp_headers([{"content-security-policy", "sandbox"}])
+ |> merge_resp_headers([{"content-security-policy", "script-src none"}])
config = Pleroma.Config.get(Pleroma.Upload)
diff --git a/lib/pleroma/web/rich_media/parsers/o_embed.ex b/lib/pleroma/web/rich_media/parsers/o_embed.ex
index 09eabec56..695740d2e 100644
--- a/lib/pleroma/web/rich_media/parsers/o_embed.ex
+++ b/lib/pleroma/web/rich_media/parsers/o_embed.ex
@@ -6,8 +6,8 @@ defmodule Pleroma.Web.RichMedia.Parsers.OEmbed do
def parse(html, _data) do
with elements = [_ | _] <- get_discovery_data(html),
oembed_url when is_binary(oembed_url) <- get_oembed_url(elements),
- {:ok, oembed_data} <- get_oembed_data(oembed_url) do
- oembed_data
+ {:ok, oembed_data = %{"html" => html}} <- get_oembed_data(oembed_url) do
+ %{oembed_data | "html" => Pleroma.HTML.filter_tags(html)}
else
_e -> %{}
end
diff --git a/mix.exs b/mix.exs
index 9153e8ba3..d16c45b74 100644
--- a/mix.exs
+++ b/mix.exs
@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
def project do
[
app: :pleroma,
- version: version("3.6.1"),
+ version: version("6.9.1"),
elixir: "~> 1.12",
elixirc_paths: elixirc_paths(Mix.env()),
compilers: [:phoenix] ++ Mix.compilers(),
@@ -16,9 +16,9 @@ defmodule Pleroma.Mixfile do
test_coverage: [tool: ExCoveralls],
preferred_cli_env: ["coveralls.html": :test],
# Docs
- name: "AkkoUnfucked",
+ name: "incestoma",
homepage_url: "https://git.youjo.love/",
- source_url: "https://git.youjo.love/fox/youjo-be",
+ source_url: "https://git.youjo.love/youjo/youjo-be",
docs: [
source_url_pattern: "https://git.youjo.love/fox/youjo-be/blob/develop/%{path}#L%{line}",
logo: "priv/static/images/logo.png",
diff --git a/test/pleroma/web/rich_media/parser_test.exs b/test/pleroma/web/rich_media/parser_test.exs
index b6444ac82..5479bc15d 100644
--- a/test/pleroma/web/rich_media/parser_test.exs
+++ b/test/pleroma/web/rich_media/parser_test.exs
@@ -129,7 +129,7 @@ defmodule Pleroma.Web.RichMedia.ParserTest do
}}
end
- test "parses OEmbed" do
+ test "parses OEmbed and filters HTML tags" do
assert Parser.parse("http://example.com/oembed") ==
{:ok,
%{
@@ -139,7 +139,7 @@ defmodule Pleroma.Web.RichMedia.ParserTest do
"flickr_type" => "photo",
"height" => "768",
"html" =>
- "![\"Bacon](\"https://farm4.staticflickr.com/3040/2362225867_4a87ab8baf_b.jpg\")
",
+ "",
"license" => "All Rights Reserved",
"license_id" => 0,
"provider_name" => "Flickr",