Merge remote-tracking branch 'upstream/develop' into neckbeard

2025-01-20 15:00:46 +01:00 · 2023-06-07 07:40:35 -05:00 · 2023-06-07 07:40:35 -05:00 · 923a842c71
commit 923a842c71
parent 0964879958 43458cb7a1
2 changed files with 3 additions and 2 deletions
--- a/changelog.d/3901.security
+++ b/changelog.d/3901.security
@ -0,0 +1 @@
+Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
--- a/lib/pleroma/web/preload.ex
+++ b/lib/pleroma/web/preload.ex
@ -11,7 +11,7 @@ defmodule Pleroma.Web.Preload do
        terms =
          params
          |> parser.generate_terms()
-          |> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v))} end)
+          |> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v, escape: :html_safe))} end)
          |> Enum.into(%{})

        Map.merge(acc, terms)
@ -19,7 +19,7 @@ defmodule Pleroma.Web.Preload do

    rendered_html =
      preload_data
-      |> Jason.encode!()
+      |> Jason.encode!(escape: :html_safe)
      |> build_script_tag()
      |> HTML.safe_to_string()
				`@ -0,0 +1 @@`
				`Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.`