Make sanitizer *not* add no-referrer etc. in local markdown toots if the link is...

diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb
index b7a0286d2d602bbbcdfe1e9e4e51c8d29cb5d3bf..051f274082d8bd0bd2e4134e8ffba923409da0bf 100644 (file)
--- a/app/lib/formatter.rb
+++ b/app/lib/formatter.rb
@@ -59,7 +59,7 @@ class Formatter
     html = "RT @#{prepend_reblog} #{html}" if prepend_reblog
     html = format_markdown(html) if status.content_type == 'text/markdown'
     html = encode_and_link_urls(html, linkable_accounts, keep_html: %w(text/markdown text/html).include?(status.content_type))
-    html = reformat(html) if %w(text/markdown text/html).include?(status.content_type)
+    html = reformat(html, true) if %w(text/markdown text/html).include?(status.content_type)
     html = encode_custom_emojis(html, status.emojis, options[:autoplay]) if options[:custom_emojify]
 
     unless %w(text/markdown text/html).include?(status.content_type)
@@ -75,8 +75,8 @@ class Formatter
     html.delete("\r").delete("\n")
   end
 
-  def reformat(html)
-    sanitize(html, Sanitize::Config::MASTODON_STRICT)
+  def reformat(html, outgoing = false)
+    sanitize(html, Sanitize::Config::MASTODON_STRICT.merge(outgoing: outgoing))
   rescue ArgumentError
     ''
   end

diff --git a/app/lib/sanitize_config.rb b/app/lib/sanitize_config.rb
index 8bbcca4ce5c69ba8c3e3ef57bf00e9732762feba..34793ed93b83af9d9ce1e956f56e65ec39401769 100644 (file)
--- a/app/lib/sanitize_config.rb
+++ b/app/lib/sanitize_config.rb
@@ -60,7 +60,10 @@ class Sanitize
       node = env[:node]
 
       rel = (node['rel'] || '').split(' ') & ['tag']
-      node['rel'] = (['nofollow', 'noopener', 'noreferrer'] + rel).join(' ')
+      unless env[:config][:outgoing] && TagManager.instance.local_url?(node['href'])
+        rel += ['nofollow', 'noopener', 'noreferrer']
+      end
+      node['rel'] = rel.join(' ')
     end
 
     UNSUPPORTED_HREF_TRANSFORMER = lambda do |env|
@@ -103,8 +106,8 @@ class Sanitize
       transformers: [
         CLASS_WHITELIST_TRANSFORMER,
         IMG_TAG_TRANSFORMER,
-        LINK_REL_TRANSFORMER,
         UNSUPPORTED_HREF_TRANSFORMER,
+        LINK_REL_TRANSFORMER,
       ]
     )
 

diff --git a/spec/lib/sanitize_config_spec.rb b/spec/lib/sanitize_config_spec.rb
index 2d82c00eaf2076714a04747673c9acec09c6a789..7370c536b66f9cff85be83bbce21aca3317827df 100644 (file)
--- a/spec/lib/sanitize_config_spec.rb
+++ b/spec/lib/sanitize_config_spec.rb
@@ -7,6 +7,12 @@ describe Sanitize::Config do
   describe '::MASTODON_STRICT' do
     subject { Sanitize::Config::MASTODON_STRICT }
 
+    around do |example|
+      original_web_domain = Rails.configuration.x.web_domain
+      example.run
+      Rails.configuration.x.web_domain = original_web_domain
+    end
+
     it 'keeps h1' do
       expect(Sanitize.fragment('<h1>Foo</h1>', subject)).to eq '<h1>Foo</h1>'
     end
@@ -32,7 +38,12 @@ describe Sanitize::Config do
     end
 
     it 'keeps a with href and rel tag' do
-      expect(Sanitize.fragment('<a href="http://example.com" rel="tag">Test</a>', subject)).to eq '<a href="http://example.com" rel="nofollow noopener noreferrer tag" target="_blank">Test</a>'
+      expect(Sanitize.fragment('<a href="http://example.com" rel="tag">Test</a>', subject)).to eq '<a href="http://example.com" rel="tag nofollow noopener noreferrer" target="_blank">Test</a>'
+    end
+
+    it 'keeps a with href and rel tag, not adding to rel if url is local' do
+      Rails.configuration.x.web_domain = 'domain.test'
+      expect(Sanitize.fragment('<a href="http://domain.test/tags/foo" rel="tag">Test</a>', subject.merge(outgoing: true))).to eq '<a href="http://domain.test/tags/foo" rel="tag" target="_blank">Test</a>'
     end
   end
 end