static_fe: Sanitize HTML in users

2020-03-15 17:00:54 +01:00 · 2020-03-15 17:00:54 +01:00 · 8176ca9e40
commit 8176ca9e40
parent acb016397e
5 changed files with 33 additions and 25 deletions
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@ -16,6 +16,7 @@ defmodule Pleroma.User do
  alias Pleroma.Conversation.Participation
  alias Pleroma.Delivery
  alias Pleroma.FollowingRelationship
+  alias Pleroma.HTML
  alias Pleroma.Keys
  alias Pleroma.Notification
  alias Pleroma.Object
@ -2032,4 +2033,27 @@ defmodule Pleroma.User do
    |> validate_required([:invisible])
    |> update_and_set_cache()
  end
+
+  def sanitize_html(%User{} = user) do
+    sanitize_html(user, nil)
+  end
+
+  # User data that mastodon isn't filtering (treated as plaintext):
+  # - field name
+  # - display name
+  def sanitize_html(%User{} = user, filter) do
+    fields =
+      user
+      |> User.fields()
+      |> Enum.map(fn %{"name" => name, "value" => value} ->
+        %{
+          "name" => name,
+          "value" => HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
+        }
+      end)
+
+    user
+    |> Map.put(:bio, HTML.filter_tags(user.bio, filter))
+    |> Map.put(:fields, fields)
+  end
 end