static_fe: Sanitize HTML in users
This commit is contained in:
parent
acb016397e
commit
8176ca9e40
|
@ -16,6 +16,7 @@ defmodule Pleroma.User do
|
||||||
alias Pleroma.Conversation.Participation
|
alias Pleroma.Conversation.Participation
|
||||||
alias Pleroma.Delivery
|
alias Pleroma.Delivery
|
||||||
alias Pleroma.FollowingRelationship
|
alias Pleroma.FollowingRelationship
|
||||||
|
alias Pleroma.HTML
|
||||||
alias Pleroma.Keys
|
alias Pleroma.Keys
|
||||||
alias Pleroma.Notification
|
alias Pleroma.Notification
|
||||||
alias Pleroma.Object
|
alias Pleroma.Object
|
||||||
|
@ -2032,4 +2033,27 @@ def set_invisible(user, invisible) do
|
||||||
|> validate_required([:invisible])
|
|> validate_required([:invisible])
|
||||||
|> update_and_set_cache()
|
|> update_and_set_cache()
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def sanitize_html(%User{} = user) do
|
||||||
|
sanitize_html(user, nil)
|
||||||
|
end
|
||||||
|
|
||||||
|
# User data that mastodon isn't filtering (treated as plaintext):
|
||||||
|
# - field name
|
||||||
|
# - display name
|
||||||
|
def sanitize_html(%User{} = user, filter) do
|
||||||
|
fields =
|
||||||
|
user
|
||||||
|
|> User.fields()
|
||||||
|
|> Enum.map(fn %{"name" => name, "value" => value} ->
|
||||||
|
%{
|
||||||
|
"name" => name,
|
||||||
|
"value" => HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
|
||||||
|
}
|
||||||
|
end)
|
||||||
|
|
||||||
|
user
|
||||||
|
|> Map.put(:bio, HTML.filter_tags(user.bio, filter))
|
||||||
|
|> Map.put(:fields, fields)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -73,6 +73,7 @@ def render("user.json", %{user: user}) do
|
||||||
{:ok, _, public_key} = Keys.keys_from_pem(user.keys)
|
{:ok, _, public_key} = Keys.keys_from_pem(user.keys)
|
||||||
public_key = :public_key.pem_entry_encode(:SubjectPublicKeyInfo, public_key)
|
public_key = :public_key.pem_entry_encode(:SubjectPublicKeyInfo, public_key)
|
||||||
public_key = :public_key.pem_encode([public_key])
|
public_key = :public_key.pem_encode([public_key])
|
||||||
|
user = User.sanitize_html(user)
|
||||||
|
|
||||||
endpoints = render("endpoints.json", %{user: user})
|
endpoints = render("endpoints.json", %{user: user})
|
||||||
|
|
||||||
|
@ -81,12 +82,6 @@ def render("user.json", %{user: user}) do
|
||||||
fields =
|
fields =
|
||||||
user
|
user
|
||||||
|> User.fields()
|
|> User.fields()
|
||||||
|> Enum.map(fn %{"name" => name, "value" => value} ->
|
|
||||||
%{
|
|
||||||
"name" => Pleroma.HTML.strip_tags(name),
|
|
||||||
"value" => Pleroma.HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
|
|
||||||
}
|
|
||||||
end)
|
|
||||||
|> Enum.map(&Map.put(&1, "type", "PropertyValue"))
|
|> Enum.map(&Map.put(&1, "type", "PropertyValue"))
|
||||||
|
|
||||||
%{
|
%{
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
defmodule Pleroma.Web.AdminAPI.AccountView do
|
defmodule Pleroma.Web.AdminAPI.AccountView do
|
||||||
use Pleroma.Web, :view
|
use Pleroma.Web, :view
|
||||||
|
|
||||||
alias Pleroma.HTML
|
|
||||||
alias Pleroma.User
|
alias Pleroma.User
|
||||||
alias Pleroma.Web.AdminAPI.AccountView
|
alias Pleroma.Web.AdminAPI.AccountView
|
||||||
alias Pleroma.Web.MediaProxy
|
alias Pleroma.Web.MediaProxy
|
||||||
|
@ -26,7 +25,8 @@ def render("index.json", %{users: users}) do
|
||||||
|
|
||||||
def render("show.json", %{user: user}) do
|
def render("show.json", %{user: user}) do
|
||||||
avatar = User.avatar_url(user) |> MediaProxy.url()
|
avatar = User.avatar_url(user) |> MediaProxy.url()
|
||||||
display_name = HTML.strip_tags(user.name || user.nickname)
|
display_name = Pleroma.HTML.strip_tags(user.name || user.nickname)
|
||||||
|
user = User.sanitize_html(user, FastSanitize.Sanitizer.StripTags)
|
||||||
|
|
||||||
%{
|
%{
|
||||||
"id" => user.id,
|
"id" => user.id,
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
defmodule Pleroma.Web.MastodonAPI.AccountView do
|
defmodule Pleroma.Web.MastodonAPI.AccountView do
|
||||||
use Pleroma.Web, :view
|
use Pleroma.Web, :view
|
||||||
|
|
||||||
alias Pleroma.HTML
|
|
||||||
alias Pleroma.User
|
alias Pleroma.User
|
||||||
alias Pleroma.Web.CommonAPI.Utils
|
alias Pleroma.Web.CommonAPI.Utils
|
||||||
alias Pleroma.Web.MastodonAPI.AccountView
|
alias Pleroma.Web.MastodonAPI.AccountView
|
||||||
|
@ -67,6 +66,7 @@ def render("relationships.json", %{user: user, targets: targets}) do
|
||||||
end
|
end
|
||||||
|
|
||||||
defp do_render("show.json", %{user: user} = opts) do
|
defp do_render("show.json", %{user: user} = opts) do
|
||||||
|
user = User.sanitize_html(user, User.html_filter_policy(opts[:for]))
|
||||||
display_name = user.name || user.nickname
|
display_name = user.name || user.nickname
|
||||||
|
|
||||||
image = User.avatar_url(user) |> MediaProxy.url()
|
image = User.avatar_url(user) |> MediaProxy.url()
|
||||||
|
@ -100,17 +100,6 @@ defp do_render("show.json", %{user: user} = opts) do
|
||||||
}
|
}
|
||||||
end)
|
end)
|
||||||
|
|
||||||
fields =
|
|
||||||
user
|
|
||||||
|> User.fields()
|
|
||||||
|> Enum.map(fn %{"name" => name, "value" => value} ->
|
|
||||||
%{
|
|
||||||
"name" => name,
|
|
||||||
"value" => Pleroma.HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
|
|
||||||
}
|
|
||||||
end)
|
|
||||||
|
|
||||||
bio = HTML.filter_tags(user.bio, User.html_filter_policy(opts[:for]))
|
|
||||||
relationship = render("relationship.json", %{user: opts[:for], target: user})
|
relationship = render("relationship.json", %{user: opts[:for], target: user})
|
||||||
|
|
||||||
%{
|
%{
|
||||||
|
@ -123,17 +112,17 @@ defp do_render("show.json", %{user: user} = opts) do
|
||||||
followers_count: followers_count,
|
followers_count: followers_count,
|
||||||
following_count: following_count,
|
following_count: following_count,
|
||||||
statuses_count: user.note_count,
|
statuses_count: user.note_count,
|
||||||
note: bio || "",
|
note: user.bio || "",
|
||||||
url: User.profile_url(user),
|
url: User.profile_url(user),
|
||||||
avatar: image,
|
avatar: image,
|
||||||
avatar_static: image,
|
avatar_static: image,
|
||||||
header: header,
|
header: header,
|
||||||
header_static: header,
|
header_static: header,
|
||||||
emojis: emojis,
|
emojis: emojis,
|
||||||
fields: fields,
|
fields: user.fields,
|
||||||
bot: bot,
|
bot: bot,
|
||||||
source: %{
|
source: %{
|
||||||
note: HTML.strip_tags((user.bio || "") |> String.replace("<br>", "\n")),
|
note: Pleroma.HTML.strip_tags((user.bio || "") |> String.replace("<br>", "\n")),
|
||||||
sensitive: false,
|
sensitive: false,
|
||||||
fields: user.raw_fields,
|
fields: user.raw_fields,
|
||||||
pleroma: %{
|
pleroma: %{
|
||||||
|
|
|
@ -66,7 +66,7 @@ defp represent(%Activity{object: %Object{data: data}} = activity, selected) do
|
||||||
end
|
end
|
||||||
|
|
||||||
%{
|
%{
|
||||||
user: user,
|
user: User.sanitize_html(user),
|
||||||
title: get_title(activity.object),
|
title: get_title(activity.object),
|
||||||
content: content,
|
content: content,
|
||||||
attachment: data["attachment"],
|
attachment: data["attachment"],
|
||||||
|
@ -120,7 +120,7 @@ def show(%{assigns: %{username_or_id: username_or_id}} = conn, params) do
|
||||||
next_page_id = List.last(timeline) && List.last(timeline).id
|
next_page_id = List.last(timeline) && List.last(timeline).id
|
||||||
|
|
||||||
render(conn, "profile.html", %{
|
render(conn, "profile.html", %{
|
||||||
user: user,
|
user: User.sanitize_html(user),
|
||||||
timeline: timeline,
|
timeline: timeline,
|
||||||
prev_page_id: prev_page_id,
|
prev_page_id: prev_page_id,
|
||||||
next_page_id: next_page_id,
|
next_page_id: next_page_id,
|
||||||
|
|
Loading…
Reference in a new issue