Handle HTML in incoming actor summaries

This commit is contained in:
Shadowfacts 2021-08-25 22:47:19 -04:00
parent c942d1b955
commit a2b61150f2
Signed by: shadowfacts
GPG Key ID: 94A5AB95422746E5
3 changed files with 10 additions and 3 deletions

View File

@ -1,5 +1,6 @@
defmodule Clacks.ActivityPub.Fetcher do defmodule Clacks.ActivityPub.Fetcher do
require Logger require Logger
alias Clacks.Inbox.Transformer
@spec fetch_actor(id :: String.t()) :: map() | nil @spec fetch_actor(id :: String.t()) :: map() | nil
def fetch_actor(id) do def fetch_actor(id) do
@ -8,7 +9,7 @@ defmodule Clacks.ActivityPub.Fetcher do
with %{"type" => type, "id" => remote_id} = actor <- fetch(id), with %{"type" => type, "id" => remote_id} = actor <- fetch(id),
"person" <- String.downcase(type), "person" <- String.downcase(type),
%{host: ^id_host} <- URI.parse(remote_id) do %{host: ^id_host} <- URI.parse(remote_id) do
actor Transformer.restrict_incoming_actor(actor)
else else
_ -> _ ->
nil nil
@ -22,7 +23,7 @@ defmodule Clacks.ActivityPub.Fetcher do
with object when is_map(object) <- fetch(id), with object when is_map(object) <- fetch(id),
remote_actor when is_binary(remote_actor) <- get_actor(object), remote_actor when is_binary(remote_actor) <- get_actor(object),
%{host: ^id_host} <- URI.parse(remote_actor) do %{host: ^id_host} <- URI.parse(remote_actor) do
object Transformer.restrict_incoming_object(object)
else else
_ -> _ ->
nil nil

View File

@ -9,6 +9,12 @@ defmodule Clacks.Inbox.Transformer do
object object
end end
@spec restrict_incoming_actor(actor :: map()) :: map()
def restrict_incoming_actor(%{"summary" => summary} = actor) when is_binary(summary) do
summary = sanitize_html(summary)
%{actor | "summary" => summary}
end
@spec sanitize_html(content :: String.t()) :: String.t() @spec sanitize_html(content :: String.t()) :: String.t()
defp sanitize_html(content) do defp sanitize_html(content) do
{:ok, res} = FastSanitize.basic_html(content) {:ok, res} = FastSanitize.basic_html(content)

View File

@ -5,7 +5,7 @@
<%= display_username(@actor) %> <%= display_username(@actor) %>
</a> </a>
</h2> </h2>
<p><%= @actor.data["summary"] %></p> <p><%= raw(@actor.data["summary"]) %></p>
</div> </div>
<div class="actor-actions"> <div class="actor-actions">