[feature] Allow users to set custom css for their profiles + threads (#808)

* add custom css account property + db func to fetch

* allow account to get/set custom css

* serve custom css for an account

* go fmt

* use monospace for customcss, add link

* add custom css to account cache

* fix broken field

* add custom css docs to user guide

* add `accounts-allow-custom-css` config flag

* add allow custom css to /api/v1/instance response

* only show/set custom css if allowed to do so

* only set/serve custom account css if enabled

* update swagger docs

* chain promise

* make bool a bit clearer

* use cache for GetAccountCustomCSSByUsername

internal/text/sanitize_test.go

@@ -94,6 +94,35 @@ func (suite *SanitizeTestSuite) TestSanitizeCaption6() {
 	suite.Equal("hello world", sanitized)
 }
 
+func (suite *SanitizeTestSuite) TestSanitizeCustomCSS() {
+	customCSS := `.toot .username {
+	color: var(--link_fg);
+	line-height: 2rem;
+	margin-top: -0.5rem;
+	align-self: start;
+	
+	white-space: nowrap;
+	overflow: hidden;
+	text-overflow: ellipsis;
+}`
+	sanitized := text.SanitizePlaintext(customCSS)
+	suite.Equal(customCSS, sanitized) // should be the same as it was before
+}
+
+func (suite *SanitizeTestSuite) TestSanitizeNaughtyCustomCSS1() {
+	// try to break out of <style> into <head> and change the document title
+	customCSS := "</style><title>pee pee poo poo</title><style>"
+	sanitized := text.SanitizePlaintext(customCSS)
+	suite.Empty(sanitized)
+}
+
+func (suite *SanitizeTestSuite) TestSanitizeNaughtyCustomCSS2() {
+	// try to break out of <style> into <head> and change the document title
+	customCSS := "pee pee poo poo</style><title></title><style>"
+	sanitized := text.SanitizePlaintext(customCSS)
+	suite.Equal("pee pee poo poo", sanitized)
+}
+
 func TestSanitizeTestSuite(t *testing.T) {
 	suite.Run(t, new(SanitizeTestSuite))
 }