static_fe: Sanitize HTML in users

2020-03-15 17:00:54 +01:00 · 2020-03-15 17:00:54 +01:00 · 8176ca9e40
parent acb016397e
commit 8176ca9e40
5 changed files with 33 additions and 25 deletions
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@ -16,6 +16,7 @@ defmodule Pleroma.User do
  alias Pleroma.Conversation.Participation
  alias Pleroma.Delivery
  alias Pleroma.FollowingRelationship
+  alias Pleroma.HTML
  alias Pleroma.Keys
  alias Pleroma.Notification
  alias Pleroma.Object
@ -2032,4 +2033,27 @@ defmodule Pleroma.User do
    |> validate_required([:invisible])
    |> update_and_set_cache()
  end
+
+  def sanitize_html(%User{} = user) do
+    sanitize_html(user, nil)
+  end
+
+  # User data that mastodon isn't filtering (treated as plaintext):
+  # - field name
+  # - display name
+  def sanitize_html(%User{} = user, filter) do
+    fields =
+      user
+      |> User.fields()
+      |> Enum.map(fn %{"name" => name, "value" => value} ->
+        %{
+          "name" => name,
+          "value" => HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
+        }
+      end)
+
+    user
+    |> Map.put(:bio, HTML.filter_tags(user.bio, filter))
+    |> Map.put(:fields, fields)
+  end
 end
--- a/lib/pleroma/web/activity_pub/views/user_view.ex
+++ b/lib/pleroma/web/activity_pub/views/user_view.ex
@ -73,6 +73,7 @@ defmodule Pleroma.Web.ActivityPub.UserView do
    {:ok, _, public_key} = Keys.keys_from_pem(user.keys)
    public_key = :public_key.pem_entry_encode(:SubjectPublicKeyInfo, public_key)
    public_key = :public_key.pem_encode([public_key])
+    user = User.sanitize_html(user)

    endpoints = render("endpoints.json", %{user: user})

@ -81,12 +82,6 @@ defmodule Pleroma.Web.ActivityPub.UserView do
    fields =
      user
      |> User.fields()
-      |> Enum.map(fn %{"name" => name, "value" => value} ->
-        %{
-          "name" => Pleroma.HTML.strip_tags(name),
-          "value" => Pleroma.HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
-        }
-      end)
      |> Enum.map(&Map.put(&1, "type", "PropertyValue"))

    %{
--- a/lib/pleroma/web/admin_api/views/account_view.ex
+++ b/lib/pleroma/web/admin_api/views/account_view.ex
@ -5,7 +5,6 @@
 defmodule Pleroma.Web.AdminAPI.AccountView do
  use Pleroma.Web, :view

-  alias Pleroma.HTML
  alias Pleroma.User
  alias Pleroma.Web.AdminAPI.AccountView
  alias Pleroma.Web.MediaProxy
@ -26,7 +25,8 @@ defmodule Pleroma.Web.AdminAPI.AccountView do

  def render("show.json", %{user: user}) do
    avatar = User.avatar_url(user) |> MediaProxy.url()
-    display_name = HTML.strip_tags(user.name || user.nickname)
+    display_name = Pleroma.HTML.strip_tags(user.name || user.nickname)
+    user = User.sanitize_html(user, FastSanitize.Sanitizer.StripTags)

    %{
      "id" => user.id,
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@ -5,7 +5,6 @@
 defmodule Pleroma.Web.MastodonAPI.AccountView do
  use Pleroma.Web, :view

-  alias Pleroma.HTML
  alias Pleroma.User
  alias Pleroma.Web.CommonAPI.Utils
  alias Pleroma.Web.MastodonAPI.AccountView
@ -67,6 +66,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
  end

  defp do_render("show.json", %{user: user} = opts) do
+    user = User.sanitize_html(user, User.html_filter_policy(opts[:for]))
    display_name = user.name || user.nickname

    image = User.avatar_url(user) |> MediaProxy.url()
@ -100,17 +100,6 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
        }
      end)

-    fields =
-      user
-      |> User.fields()
-      |> Enum.map(fn %{"name" => name, "value" => value} ->
-        %{
-          "name" => name,
-          "value" => Pleroma.HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
-        }
-      end)
-
-    bio = HTML.filter_tags(user.bio, User.html_filter_policy(opts[:for]))
    relationship = render("relationship.json", %{user: opts[:for], target: user})

    %{
@ -123,17 +112,17 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
      followers_count: followers_count,
      following_count: following_count,
      statuses_count: user.note_count,
-      note: bio || "",
+      note: user.bio || "",
      url: User.profile_url(user),
      avatar: image,
      avatar_static: image,
      header: header,
      header_static: header,
      emojis: emojis,
-      fields: fields,
+      fields: user.fields,
      bot: bot,
      source: %{
-        note: HTML.strip_tags((user.bio || "") |> String.replace("<br>", "\n")),
+        note: Pleroma.HTML.strip_tags((user.bio || "") |> String.replace("<br>", "\n")),
        sensitive: false,
        fields: user.raw_fields,
        pleroma: %{
--- a/lib/pleroma/web/static_fe/static_fe_controller.ex
+++ b/lib/pleroma/web/static_fe/static_fe_controller.ex
@ -66,7 +66,7 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do
      end

    %{
-      user: user,
+      user: User.sanitize_html(user),
      title: get_title(activity.object),
      content: content,
      attachment: data["attachment"],
@ -120,7 +120,7 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do
        next_page_id = List.last(timeline) && List.last(timeline).id

        render(conn, "profile.html", %{
-          user: user,
+          user: User.sanitize_html(user),
          timeline: timeline,
          prev_page_id: prev_page_id,
          next_page_id: next_page_id,