mirror of
https://akkoma.dev/AkkomaGang/akkoma.git
synced 2024-11-10 11:19:19 +00:00
MastodonAPI.StatusView: Do not use site_name
site_name allow to spoof the origin of the domain and so hacks like: <!-- served on https://hacktivis.me/tmp/joinmastodon.org.html --> <meta property="og:image" content="https://hacktivis.me/datalove/img/meme/pleroma/mastodon%2C%20forbidden%20amuse%20yourself.jpeg" /> <meta property="og:title" content="Mastodon: Forbidden Amuse Yourself" /> <meta property="og:site_name" content="joinmastodon.org" /> <meta http-equiv="refresh" content="0; url=http://joinmastodon.org/">
This commit is contained in:
parent
5fcee577f9
commit
1257331291
2 changed files with 3 additions and 5 deletions
|
@ -321,11 +321,9 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
|
||||||
nil
|
nil
|
||||||
end
|
end
|
||||||
|
|
||||||
site_name = rich_media[:site_name] || page_url_data.host
|
|
||||||
|
|
||||||
%{
|
%{
|
||||||
type: "link",
|
type: "link",
|
||||||
provider_name: site_name,
|
provider_name: page_url_data.host,
|
||||||
provider_url: page_url_data.scheme <> "://" <> page_url_data.host,
|
provider_url: page_url_data.scheme <> "://" <> page_url_data.host,
|
||||||
url: page_url,
|
url: page_url,
|
||||||
image: image_url |> MediaProxy.url(),
|
image: image_url |> MediaProxy.url(),
|
||||||
|
|
|
@ -491,7 +491,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do
|
||||||
title: "Example website"
|
title: "Example website"
|
||||||
}
|
}
|
||||||
|
|
||||||
%{provider_name: "Example site name"} =
|
%{provider_name: "example.com"} =
|
||||||
StatusView.render("card.json", %{page_url: page_url, rich_media: card})
|
StatusView.render("card.json", %{page_url: page_url, rich_media: card})
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -506,7 +506,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do
|
||||||
description: "Example description"
|
description: "Example description"
|
||||||
}
|
}
|
||||||
|
|
||||||
%{provider_name: "Example site name"} =
|
%{provider_name: "example.com"} =
|
||||||
StatusView.render("card.json", %{page_url: page_url, rich_media: card})
|
StatusView.render("card.json", %{page_url: page_url, rich_media: card})
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue