Merge branch 'preload-escaping' into 'develop'

B Preload: Make sure that the preloaded json is html safe See merge request pleroma/pleroma!3901
2023-06-06 13:31:08 +00:00 · 2023-06-06 13:31:08 +00:00 · 43458cb7a1
parent e8d3525665 40d40d67a3
commit 43458cb7a1
2 changed files with 3 additions and 2 deletions
--- a/changelog.d/3901.security
+++ b/changelog.d/3901.security
@ -0,0 +1 @@
+Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
--- a/lib/pleroma/web/preload.ex
+++ b/lib/pleroma/web/preload.ex
@ -11,7 +11,7 @@ defmodule Pleroma.Web.Preload do
        terms =
          params
          |> parser.generate_terms()
-          |> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v))} end)
+          |> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v, escape: :html_safe))} end)
          |> Enum.into(%{})

        Map.merge(acc, terms)
@ -19,7 +19,7 @@ defmodule Pleroma.Web.Preload do

    rendered_html =
      preload_data
-      |> Jason.encode!()
+      |> Jason.encode!(escape: :html_safe)
      |> build_script_tag()
      |> HTML.safe_to_string()
				`@ -0,0 +1 @@`
				`Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.`