Merge branch 'features/staticfe-sanitization' into 'develop'

static_fe: Sanitize HTML Closes #1614 See merge request pleroma/pleroma!2299
2020-03-15 19:53:52 +00:00 · 2020-03-15 19:53:52 +00:00 · fcf51a77ba
commit fcf51a77ba
parent 8096bfb891
7 changed files with 56 additions and 29 deletions
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@ -16,6 +16,7 @@ defmodule Pleroma.User do
  alias Pleroma.Conversation.Participation
  alias Pleroma.Delivery
  alias Pleroma.FollowingRelationship
+  alias Pleroma.HTML
  alias Pleroma.Keys
  alias Pleroma.Notification
  alias Pleroma.Object
@ -2062,4 +2063,27 @@ defmodule Pleroma.User do
    |> validate_required([:invisible])
    |> update_and_set_cache()
  end
+
+  def sanitize_html(%User{} = user) do
+    sanitize_html(user, nil)
+  end
+
+  # User data that mastodon isn't filtering (treated as plaintext):
+  # - field name
+  # - display name
+  def sanitize_html(%User{} = user, filter) do
+    fields =
+      user
+      |> User.fields()
+      |> Enum.map(fn %{"name" => name, "value" => value} ->
+        %{
+          "name" => name,
+          "value" => HTML.filter_tags(value, Pleroma.HTML.Scrubber.LinksOnly)
+        }
+      end)
+
+    user
+    |> Map.put(:bio, HTML.filter_tags(user.bio, filter))
+    |> Map.put(:fields, fields)
+  end
 end