Introduce group basic federation, event new page and notifications

Signed-off-by: Thomas Citharel <tcit@tcit.fr>

lib/service/formatter/default_scrubbler.ex

@@ -8,19 +8,19 @@ defmodule Mobilizon.Service.Formatter.DefaultScrubbler do
   Custom strategy to filter HTML content.
   """
 
-  alias HtmlSanitizeEx.Scrubber.Meta
-
-  require HtmlSanitizeEx.Scrubber.Meta
+  require FastSanitize.Sanitizer.Meta
+  alias FastSanitize.Sanitizer.Meta
 
   # credo:disable-for-previous-line
   # No idea how to fix this one…
 
-  Meta.remove_cdata_sections_before_scrub()
+  @valid_schemes ~w(https http)
+
   Meta.strip_comments()
 
-  Meta.allow_tag_with_uri_attributes("a", ["href", "data-user", "data-tag"], ["https", "http"])
+  Meta.allow_tag_with_uri_attributes(:a, ["href", "data-user", "data-tag"], @valid_schemes)
 
-  Meta.allow_tag_with_this_attribute_values("a", "class", [
+  Meta.allow_tag_with_this_attribute_values(:a, "class", [
     "hashtag",
     "u-url",
     "mention",
@@ -28,7 +28,7 @@ defmodule Mobilizon.Service.Formatter.DefaultScrubbler do
     "mention u-url"
   ])
 
-  Meta.allow_tag_with_this_attribute_values("a", "rel", [
+  Meta.allow_tag_with_this_attribute_values(:a, "rel", [
     "tag",
     "nofollow",
     "noopener",
@@ -36,34 +36,42 @@ defmodule Mobilizon.Service.Formatter.DefaultScrubbler do
     "ugc"
   ])
 
-  Meta.allow_tag_with_these_attributes("a", ["name", "title"])
+  Meta.allow_tag_with_these_attributes(:a, ["name", "title"])
 
-  Meta.allow_tag_with_these_attributes("abbr", ["title"])
+  Meta.allow_tag_with_these_attributes(:abbr, ["title"])
 
-  Meta.allow_tag_with_these_attributes("b", [])
-  Meta.allow_tag_with_these_attributes("blockquote", [])
-  Meta.allow_tag_with_these_attributes("br", [])
-  Meta.allow_tag_with_these_attributes("code", [])
-  Meta.allow_tag_with_these_attributes("del", [])
-  Meta.allow_tag_with_these_attributes("em", [])
-  Meta.allow_tag_with_these_attributes("i", [])
-  Meta.allow_tag_with_these_attributes("li", [])
-  Meta.allow_tag_with_these_attributes("ol", [])
-  Meta.allow_tag_with_these_attributes("p", [])
-  Meta.allow_tag_with_these_attributes("pre", [])
-  Meta.allow_tag_with_these_attributes("strong", [])
-  Meta.allow_tag_with_these_attributes("u", [])
-  Meta.allow_tag_with_these_attributes("ul", [])
-  Meta.allow_tag_with_these_attributes("img", ["src", "alt"])
+  Meta.allow_tag_with_these_attributes(:b, [])
+  Meta.allow_tag_with_these_attributes(:blockquote, [])
+  Meta.allow_tag_with_these_attributes(:br, [])
+  Meta.allow_tag_with_these_attributes(:code, [])
+  Meta.allow_tag_with_these_attributes(:del, [])
+  Meta.allow_tag_with_these_attributes(:em, [])
+  Meta.allow_tag_with_these_attributes(:i, [])
+  Meta.allow_tag_with_these_attributes(:li, [])
+  Meta.allow_tag_with_these_attributes(:ol, [])
+  Meta.allow_tag_with_these_attributes(:p, [])
+  Meta.allow_tag_with_these_attributes(:pre, [])
+  Meta.allow_tag_with_these_attributes(:strong, [])
+  Meta.allow_tag_with_these_attributes(:u, [])
+  Meta.allow_tag_with_these_attributes(:ul, [])
+  Meta.allow_tag_with_uri_attributes(:img, ["src"], @valid_schemes)
 
-  Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card", "mention"])
-  Meta.allow_tag_with_these_attributes("span", ["data-user"])
+  Meta.allow_tag_with_these_attributes(:img, [
+    "width",
+    "height",
+    "class",
+    "title",
+    "alt"
+  ])
 
-  Meta.allow_tag_with_these_attributes("h1", [])
-  Meta.allow_tag_with_these_attributes("h2", [])
-  Meta.allow_tag_with_these_attributes("h3", [])
-  Meta.allow_tag_with_these_attributes("h4", [])
-  Meta.allow_tag_with_these_attributes("h5", [])
+  Meta.allow_tag_with_this_attribute_values(:span, "class", ["h-card", "mention"])
+  Meta.allow_tag_with_these_attributes(:span, ["data-user"])
+
+  Meta.allow_tag_with_these_attributes(:h1, [])
+  Meta.allow_tag_with_these_attributes(:h2, [])
+  Meta.allow_tag_with_these_attributes(:h3, [])
+  Meta.allow_tag_with_these_attributes(:h4, [])
+  Meta.allow_tag_with_these_attributes(:h5, [])
 
   Meta.strip_everything_not_covered()
 end

lib/service/formatter/formatter.ex

@@ -95,7 +95,9 @@ defmodule Mobilizon.Service.Formatter do
   end
 
   def html_escape(text, "text/html") do
-    HTML.filter_tags(text)
+    with {:ok, content} <- HTML.filter_tags(text) do
+      content
+    end
   end
 
   def html_escape(text, "text/plain") do

lib/service/formatter/html.ex

@@ -8,9 +8,11 @@ defmodule Mobilizon.Service.Formatter.HTML do
   Service to filter tags out of HTML content.
   """
 
-  alias HtmlSanitizeEx.Scrubber
+  alias FastSanitize.Sanitizer
 
-  alias Mobilizon.Service.Formatter.DefaultScrubbler
+  alias Mobilizon.Service.Formatter.{DefaultScrubbler, OEmbed}
 
-  def filter_tags(html), do: Scrubber.scrub(html, DefaultScrubbler)
+  def filter_tags(html), do: Sanitizer.scrub(html, DefaultScrubbler)
+
+  def filter_tags_for_oembed(html), do: Sanitizer.scrub(html, OEmbed)
 end

lib/service/formatter/oembed.ex

@@ -0,0 +1,34 @@
+defmodule Mobilizon.Service.Formatter.OEmbed do
+  @moduledoc """
+  Custom strategy to filter HTML content in OEmbed html
+  """
+
+  require FastSanitize.Sanitizer.Meta
+  alias FastSanitize.Sanitizer.Meta
+
+  @valid_schemes ~w(https http)
+
+  Meta.strip_comments()
+
+  Meta.allow_tag_with_uri_attributes(:a, ["href"], @valid_schemes)
+  Meta.allow_tag_with_uri_attributes(:img, ["src"], @valid_schemes)
+
+  Meta.allow_tag_with_these_attributes(:audio, ["controls"])
+
+  Meta.allow_tag_with_uri_attributes(:embed, ["src"], @valid_schemes)
+  Meta.allow_tag_with_these_attributes(:embed, ["height type width"])
+
+  Meta.allow_tag_with_uri_attributes(:iframe, ["src"], @valid_schemes)
+
+  Meta.allow_tag_with_these_attributes(
+    :iframe,
+    ["allowfullscreen frameborder allow height scrolling width"]
+  )
+
+  Meta.allow_tag_with_uri_attributes(:source, ["src"], @valid_schemes)
+  Meta.allow_tag_with_these_attributes(:source, ["type"])
+
+  Meta.allow_tag_with_these_attributes(:video, ["controls height loop width"])
+
+  Meta.strip_everything_not_covered()
+end