Trying to enable style elements and attributes on HTML posting for my instance and it's not working

glitch-soc / mastodon

A glitchy but lovable microblogging server

https://glitch-soc.github.io/docs/

GNU Affero General Public License v3.0

692 stars 184 forks source link

Trying to enable style elements and attributes on HTML posting for my instance and it's not working #1847

Closed fullStackRacc closed 2 years ago

fullStackRacc commented 2 years ago

Pitch

I wasn't sure where else to ask, because there's no discussion tab here. I've spent hours going through the code and checking the sanitizer documentation and I'm just entirely lost as to where else the function could be being diabled and was hoping someone could help.

I narrowed it down to app/lib/advanced_text_formatter.rb (the boolean for 'no_styles') and adding it to lib/sanitize_ext/sanitize_config.rb in the MASTODON_STRICT ||= freeze config section

For some reason, when I do this, even adding it to both elements and attributes, it still gets stripped, and from what I can tell about the sanitizer documentation that shouldn't happen? And I'm not sure where to proceed from here, and assume there has to be another place it's getting stripped, but I'm coming up completely blank.

Does anyone have any idea where else it could be getting hit?

Thank you for reading

Motivation

It would help me get the server I'm running up to a more recent mastodon version, and also colors and styles are neat

ClearlyClaire commented 2 years ago

I haven't tried to achieve this, and I can't recommend doing it, for consistency and security reasons, but I think the relevant pieces are:

the markdown parser/formatter itself, configured in AdvancedTextFormatter#format_markdown in app/lib/advanced_text_formatter.rb
the sanitizing step itself at the end of AdvancedTextFormatter#rewrite, with the config defined in lib/sanitize_ext/sanitize_config.rb. MASTODON_STRICT and MASTODON_OUTGOING both strip style attributes through at least the 'span' => %w(class) entry in attributes. The module used for this is: https://github.com/rgrove/sanitize
the Content-Security Policy disallows inline styles. It is defined in config/initializers/content_security_policy.rb

fullStackRacc commented 2 years ago

Ah I didn't see the content security policy that makes sense.

The main reason I'm wanting to do it is that the homestuck instance I run has been using BBCode for everything including color, but with everything being broken up in the newer versions of masto, it's gotten hard to figure out what and where things need to be modified and everything I can find is like, from 2018 and dead. I saw that HTML posting was here and it made sense to my brain and solves a lot of my issues and lets us get back to a newer Masto version.

I'll close this as it's not an issue here, and thank you so much for the help!