Handle HTML in incoming actor summaries

2021-08-25 22:47:19 -04:00 · 2021-08-25 22:47:19 -04:00 · a2b61150f2
parent c942d1b955
commit a2b61150f2
3 changed files with 10 additions and 3 deletions
--- a/lib/clacks/activitypub/fetcher.ex
+++ b/lib/clacks/activitypub/fetcher.ex
@ -1,5 +1,6 @@
 defmodule Clacks.ActivityPub.Fetcher do
  require Logger
+  alias Clacks.Inbox.Transformer

  @spec fetch_actor(id :: String.t()) :: map() | nil
  def fetch_actor(id) do
@ -8,7 +9,7 @@ defmodule Clacks.ActivityPub.Fetcher do
    with %{"type" => type, "id" => remote_id} = actor <- fetch(id),
         "person" <- String.downcase(type),
         %{host: ^id_host} <- URI.parse(remote_id) do
-      actor
+      Transformer.restrict_incoming_actor(actor)
    else
      _ ->
        nil
@ -22,7 +23,7 @@ defmodule Clacks.ActivityPub.Fetcher do
    with object when is_map(object) <- fetch(id),
         remote_actor when is_binary(remote_actor) <- get_actor(object),
         %{host: ^id_host} <- URI.parse(remote_actor) do
-      object
+      Transformer.restrict_incoming_object(object)
    else
      _ ->
        nil
--- a/lib/clacks/inbox/transformer.ex
+++ b/lib/clacks/inbox/transformer.ex
@ -9,6 +9,12 @@ defmodule Clacks.Inbox.Transformer do
    object
  end

+  @spec restrict_incoming_actor(actor :: map()) :: map()
+  def restrict_incoming_actor(%{"summary" => summary} = actor) when is_binary(summary) do
+    summary = sanitize_html(summary)
+    %{actor | "summary" => summary}
+  end
+
  @spec sanitize_html(content :: String.t()) :: String.t()
  defp sanitize_html(content) do
    {:ok, res} = FastSanitize.basic_html(content)
--- a/lib/clacks_web/templates/frontend/profile.html.eex
+++ b/lib/clacks_web/templates/frontend/profile.html.eex
@ -5,7 +5,7 @@
      <%= display_username(@actor) %>
    </a>
  </h2>
-  <p><%= @actor.data["summary"] %></p>
+  <p><%= raw(@actor.data["summary"]) %></p>
 </div>

 <div class="actor-actions">