diff --git a/lib/clacks/activitypub/fetcher.ex b/lib/clacks/activitypub/fetcher.ex index 3832baf..35d46c6 100644 --- a/lib/clacks/activitypub/fetcher.ex +++ b/lib/clacks/activitypub/fetcher.ex @@ -1,5 +1,6 @@ defmodule Clacks.ActivityPub.Fetcher do require Logger + alias Clacks.Inbox.Transformer @spec fetch_actor(id :: String.t()) :: map() | nil def fetch_actor(id) do @@ -8,7 +9,7 @@ defmodule Clacks.ActivityPub.Fetcher do with %{"type" => type, "id" => remote_id} = actor <- fetch(id), "person" <- String.downcase(type), %{host: ^id_host} <- URI.parse(remote_id) do - actor + Transformer.restrict_incoming_actor(actor) else _ -> nil @@ -22,7 +23,7 @@ defmodule Clacks.ActivityPub.Fetcher do with object when is_map(object) <- fetch(id), remote_actor when is_binary(remote_actor) <- get_actor(object), %{host: ^id_host} <- URI.parse(remote_actor) do - object + Transformer.restrict_incoming_object(object) else _ -> nil diff --git a/lib/clacks/inbox/transformer.ex b/lib/clacks/inbox/transformer.ex index 26bd857..5b7bad2 100644 --- a/lib/clacks/inbox/transformer.ex +++ b/lib/clacks/inbox/transformer.ex @@ -9,6 +9,12 @@ defmodule Clacks.Inbox.Transformer do object end + @spec restrict_incoming_actor(actor :: map()) :: map() + def restrict_incoming_actor(%{"summary" => summary} = actor) when is_binary(summary) do + summary = sanitize_html(summary) + %{actor | "summary" => summary} + end + @spec sanitize_html(content :: String.t()) :: String.t() defp sanitize_html(content) do {:ok, res} = FastSanitize.basic_html(content) diff --git a/lib/clacks_web/templates/frontend/profile.html.eex b/lib/clacks_web/templates/frontend/profile.html.eex index b8780f9..e6dcc0d 100644 --- a/lib/clacks_web/templates/frontend/profile.html.eex +++ b/lib/clacks_web/templates/frontend/profile.html.eex @@ -5,7 +5,7 @@ <%= display_username(@actor) %> -
<%= @actor.data["summary"] %>
+<%= raw(@actor.data["summary"]) %>