Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://gleasonator.com/objects/971e38b0-a37b-407f-a83c-e078959aa733">Alex Gleason (alex@gleasonator.com)'s status on Sunday, 28-May-2023 00:22:10 JST</a><a href="https://gleasonator.com/users/alex" title="alex@gleasonator.com"><img src="https://gnusocial.jp/avatar/1712-48-20220726020642.webp" width="48" height="48" alt="Alex Gleason" style="position: absolute; left: 0; top: 0;">Alex Gleason</a><div><a href="https://bikeshed.party/objects/5179ee8c-4f5b-42e4-bd81-f65bf26a4da3" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/2005" title="tadano@amala.schwartzwelt.xyz">Tadano</a></li><li><a href="https://gnusocial.jp/user/4193" title="feld@bikeshed.party">feld</a></li><li><a href="https://gnusocial.jp/user/117563" title="purpcat@boks.moe">Some Purple Cat</a></li></ul></div></section><article><p><a href="https://bikeshed.party/users/feld">@feld</a> <a href="https://amala.schwartzwelt.xyz/users/Tadano">@Tadano</a> <a href="https://boks.moe/users/PurpCat">@PurpCat</a> <a href="https://ryona.agency/users/mint">@mint</a> It’s twofold:</p><ol><li>We need a new upload filter called MimeFilter that lets you specify a whitelist of mime types with wildcard support, defaulting to audio/*, video/*, image/*</li><li>We need a plug at the end of /media and /proxy which blacklists a specific set of known harmful mimes including application/javascript and svg. Those should be rewritten to text/plain.</li></ol><p>Bonus points: sanitizing the oembed html is good, but Pleroma FE actually needs to be patched to put the HTML into a sandboxed iframe. Soapbox doesn’t have this problem because it doesn’t blindly inject the oembed onto the page.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1593588#notice-3142874">In conversation</a><time datetime="2023-05-28T00:22:10+09:00" title="Sunday, 28-May-2023 00:22:10 JST">Sunday, 28-May-2023 00:22:10 JST</time> <span>from <span><a href="https://gleasonator.com/objects/971e38b0-a37b-407f-a83c-e078959aa733" rel="external" title="Sent from gleasonator.com via ActivityPub">gleasonator.com</a></span></span><a href="https://gleasonator.com/objects/971e38b0-a37b-407f-a83c-e078959aa733">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Sunday, 28-May-2023 00:22:10 JSTAlex Gleason
in reply to
@feld @Tadano @PurpCat @mint It’s twofold:
1. We need a new upload filter called MimeFilter that lets you specify a whitelist of mime types with wildcard support, defaulting to audio/*, video/*, image/*
2. We need a plug at the end of /media and /proxy which blacklists a specific set of known harmful mimes including application/javascript and svg. Those should be rewritten to text/plain.
Bonus points: sanitizing the oembed html is good, but Pleroma FE actually needs to be patched to put the HTML into a sandboxed iframe. Soapbox doesn’t have this problem because it doesn’t blindly inject the oembed onto the page.
In conversation2 years ago from gleasonator.compermalink

Public

Embed Notice

HTML Code

Corresponding Notice