Merge branch 'stable' of https://git.youjo.love/fox/youjo-be into stable

lib/pleroma/reverse_proxy.ex

@@ -251,6 +251,7 @@ defmodule Pleroma.ReverseProxy do
     |> Enum.filter(fn {k, _} -> k in @keep_resp_headers end)
     |> build_resp_cache_headers(opts)
     |> build_resp_content_disposition_header(opts)
+    |> build_csp_headers()
     |> Keyword.merge(Keyword.get(opts, :resp_headers, []))
   end
 
@@ -316,6 +317,10 @@ defmodule Pleroma.ReverseProxy do
     end
   end
 
+  defp build_csp_headers(headers) do
+    List.keystore(headers, "content-security-policy", 0, {"content-security-policy", "sandbox"})
+  end
+
   defp header_length_constraint(headers, limit) when is_integer(limit) and limit > 0 do
     with {_, size} <- List.keyfind(headers, "content-length", 0),
          {size, _} <- Integer.parse(size),

lib/pleroma/web/plugs/uploaded_media.ex

@@ -44,7 +44,7 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do
         conn ->
           conn
       end
-      |> merge_resp_headers([{"content-security-policy", "sandbox"}])
+      |> merge_resp_headers([{"content-security-policy", "script-src none"}])
 
     config = Pleroma.Config.get(Pleroma.Upload)
 

lib/pleroma/web/rich_media/parsers/o_embed.ex

@@ -6,8 +6,8 @@ defmodule Pleroma.Web.RichMedia.Parsers.OEmbed do
   def parse(html, _data) do
     with elements = [_ | _] <- get_discovery_data(html),
          oembed_url when is_binary(oembed_url) <- get_oembed_url(elements),
-         {:ok, oembed_data} <- get_oembed_data(oembed_url) do
+         {:ok, oembed_data = %{"html" => html}} <- get_oembed_data(oembed_url) do
-      oembed_data
+      %{oembed_data | "html" => Pleroma.HTML.filter_tags(html)}
     else
       _e -> %{}
     end

mix.exs

@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
   def project do
     [
       app: :pleroma,
-      version: version("3.6.1"),
+      version: version("6.9.1"),
       elixir: "~> 1.12",
       elixirc_paths: elixirc_paths(Mix.env()),
       compilers: [:phoenix] ++ Mix.compilers(),
@@ -16,9 +16,9 @@ defmodule Pleroma.Mixfile do
       test_coverage: [tool: ExCoveralls],
       preferred_cli_env: ["coveralls.html": :test],
       # Docs
-      name: "AkkoUnfucked",
+      name: "incestoma",
       homepage_url: "https://git.youjo.love/",
-      source_url: "https://git.youjo.love/fox/youjo-be",
+      source_url: "https://git.youjo.love/youjo/youjo-be",
       docs: [
         source_url_pattern: "https://git.youjo.love/fox/youjo-be/blob/develop/%{path}#L%{line}",
         logo: "priv/static/images/logo.png",

test/pleroma/web/rich_media/parser_test.exs

@@ -129,7 +129,7 @@ defmodule Pleroma.Web.RichMedia.ParserTest do
               }}
   end
 
-  test "parses OEmbed" do
+  test "parses OEmbed and filters HTML tags" do
     assert Parser.parse("http://example.com/oembed") ==
              {:ok,
               %{
@@ -139,7 +139,7 @@ defmodule Pleroma.Web.RichMedia.ParserTest do
                 "flickr_type" => "photo",
                 "height" => "768",
                 "html" =>
-                  "<a data-flickr-embed=\"true\" href=\"https://www.flickr.com/photos/bees/2362225867/\" title=\"Bacon Lollys by \u202E\u202D\u202Cbees\u202C, on Flickr\"><img src=\"https://farm4.staticflickr.com/3040/2362225867_4a87ab8baf_b.jpg\" width=\"1024\" height=\"768\" alt=\"Bacon Lollys\"></a><script async src=\"https://embedr.flickr.com/assets/client-code.js\" charset=\"utf-8\"></script>",
+                  "<a href=\"https://www.flickr.com/photos/bees/2362225867/\" title=\"Bacon Lollys by \u202E\u202D\u202Cbees\u202C, on Flickr\"><img src=\"https://farm4.staticflickr.com/3040/2362225867_4a87ab8baf_b.jpg\" width=\"1024\" height=\"768\" alt=\"Bacon Lollys\"/></a>",
                 "license" => "All Rights Reserved",
                 "license_id" => 0,
                 "provider_name" => "Flickr",