[chore] improve opengraph descripiton tag (#1550)

This changes parseDescription to properly encode things to be safe for
usage without removing things like backslashes that may be relevant.

* text.SanitizePlaintext already calls html.UnescapeString so we don't
  have to do that
* Replace \n with space early
* Remove duplicate white-space by splitting on fields and joining
* HTML-escape the string we have
* For extra certainty, encode the backslash as \

Fixes #1549
This commit is contained in:
Daenney 2023-02-22 22:36:18 +01:00 committed by GitHub
parent b6fbdc66c1
commit 074f352709
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 54 additions and 4 deletions

View File

@ -134,11 +134,11 @@ func parseTitle(account *apimodel.Account, accountDomain string) string {
// parseDescription returns a string description which is // parseDescription returns a string description which is
// safe to use as a template.HTMLAttr inside templates. // safe to use as a template.HTMLAttr inside templates.
func parseDescription(in string) string { func parseDescription(in string) string {
i := html.UnescapeString(in) i := text.SanitizePlaintext(in)
i = text.SanitizePlaintext(i)
i = strings.ReplaceAll(i, "\"", "'")
i = strings.ReplaceAll(i, `\`, "")
i = strings.ReplaceAll(i, "\n", " ") i = strings.ReplaceAll(i, "\n", " ")
i = strings.Join(strings.Fields(i), " ")
i = html.EscapeString(i)
i = strings.ReplaceAll(i, `\`, "\")
i = trim(i, maxOGDescriptionLength) i = trim(i, maxOGDescriptionLength)
return `content="` + i + `"` return `content="` + i + `"`
} }

View File

@ -0,0 +1,50 @@
/*
GoToSocial
Copyright (C) 2021-2023 GoToSocial Authors admin@gotosocial.org
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package web
import (
"fmt"
"testing"
"github.com/stretchr/testify/suite"
)
type OpenGraphTestSuite struct {
suite.Suite
}
func (suite *OpenGraphTestSuite) TestParseDescription() {
tests := []struct {
name, in, exp string
}{
{name: "shellcmd", in: `echo '\e]8;;http://example.com\e\This is a link\e]8;;\e'`, exp: `echo &#39;&bsol;e]8;;http://example.com&bsol;e&bsol;This is a link&bsol;e]8;;&bsol;e&#39;`},
{name: "newlines", in: "test\n\ntest\ntest", exp: "test test test"},
}
for _, tt := range tests {
tt := tt
suite.Run(tt.name, func() {
suite.Equal(fmt.Sprintf("content=\"%s\"", tt.exp), parseDescription(tt.in))
})
}
}
func TestOpenGraphTestSuite(t *testing.T) {
suite.Run(t, &OpenGraphTestSuite{})
}