More robust federation

[github/Chocobozzz/PeerTube.git] / server / helpers / custom-validators / activitypub / video-comments.ts

diff --git a/server/helpers/custom-validators/activitypub/video-comments.ts b/server/helpers/custom-validators/activitypub/video-comments.ts
index 489ff27de325d22f47e064cc222622272ef8bb59..e04c5388f9059bf5cfc7022fbbe0fe8cb302c786 100644 (file)
--- a/server/helpers/custom-validators/activitypub/video-comments.ts
+++ b/server/helpers/custom-validators/activitypub/video-comments.ts
@@ -1,40 +1,44 @@
 import * as validator from 'validator'
-import { exists, isDateValid } from '../misc'
-import { isActivityPubUrlValid, isBaseActivityValid } from './misc'
-import * as sanitizeHtml from 'sanitize-html'
+import { ACTIVITY_PUB } from '../../../initializers/constants'
+import { exists, isArray, isDateValid } from '../misc'
+import { isActivityPubUrlValid } from './misc'
 
-function isVideoCommentCreateActivityValid (activity: any) {
-  return isBaseActivityValid(activity, 'Create') &&
-    isVideoCommentObjectValid(activity.object)
-}
+function sanitizeAndCheckVideoCommentObject (comment: any) {
+  if (!comment || comment.type !== 'Note') return false
+
+  normalizeComment(comment)
 
-function isVideoCommentObjectValid (comment: any) {
-  return comment.type === 'Note' &&
-    isActivityPubUrlValid(comment.id) &&
-    sanitizeCommentHTML(comment) &&
+  return isActivityPubUrlValid(comment.id) &&
     isCommentContentValid(comment.content) &&
     isActivityPubUrlValid(comment.inReplyTo) &&
     isDateValid(comment.published) &&
-    isActivityPubUrlValid(comment.url)
+    isActivityPubUrlValid(comment.url) &&
+    isArray(comment.to) &&
+    (
+      comment.to.indexOf(ACTIVITY_PUB.PUBLIC) !== -1 ||
+      comment.cc.indexOf(ACTIVITY_PUB.PUBLIC) !== -1
+    ) // Only accept public comments
 }
 
 // ---------------------------------------------------------------------------
 
 export {
-  isVideoCommentCreateActivityValid
+  sanitizeAndCheckVideoCommentObject
 }
 
 // ---------------------------------------------------------------------------
 
-function sanitizeCommentHTML (comment: any) {
-  return sanitizeHtml(comment.content, {
-    allowedTags: [ 'b', 'i', 'em', 'span', 'a' ],
-    allowedAttributes: {
-      'a': [ 'href' ]
-    }
-  })
-}
-
 function isCommentContentValid (content: any) {
   return exists(content) && validator.isLength('' + content, { min: 1 })
 }
+
+function normalizeComment (comment: any) {
+  if (!comment) return
+
+  if (typeof comment.url !== 'string') {
+    if (typeof comment.url === 'object') comment.url = comment.url.href || comment.url.url
+    else comment.url = comment.id
+  }
+
+  return
+}