SuperSeriousBusiness/GoToSocial
1
1
Fork 0
mirror of https://github.com/superseriousbusiness/gotosocial synced 2025-06-05 21:59:39 +02:00
Code Issues Projects Releases Wiki Activity

[bugfix] Use custom bluemonday policy to disallow inline img tags (#2100)

Browse Source
This commit is contained in:
tobi
2023-08-11 14:40:11 +02:00
committed by GitHub
parent 3aedd937c3
commit dc96562b40
17 changed files with 243 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/processing/instance.go
View File

@ -159,7 +159,7 @@ func (p *Processor) InstancePatch(ctx context.Context, form *apimodel.InstanceSe
return nil, gtserror.NewErrorBadRequest(err, fmt.Sprintf("site title invalid: %s", err))
}
updatingColumns = append(updatingColumns, "title")
instance.Title = text.SanitizePlaintext(*form.Title) // don't allow html in site title
instance.Title = text.SanitizeToPlaintext(*form.Title) // don't allow html in site title
}
// validate & update site contact account if it's set on the form
@ -215,7 +215,7 @@ func (p *Processor) InstancePatch(ctx context.Context, form *apimodel.InstanceSe
return nil, gtserror.NewErrorBadRequest(err, err.Error())
}
updatingColumns = append(updatingColumns, "short_description")
instance.ShortDescription = text.SanitizeHTML(*form.ShortDescription) // html is OK in site description, but we should sanitize it
instance.ShortDescription = text.SanitizeToHTML(*form.ShortDescription) // html is OK in site description, but we should sanitize it
}
// validate & update site description if it's set on the form
@ -224,7 +224,7 @@ func (p *Processor) InstancePatch(ctx context.Context, form *apimodel.InstanceSe
return nil, gtserror.NewErrorBadRequest(err, err.Error())
}
updatingColumns = append(updatingColumns, "description")
instance.Description = text.SanitizeHTML(*form.Description) // html is OK in site description, but we should sanitize it
instance.Description = text.SanitizeToHTML(*form.Description) // html is OK in site description, but we should sanitize it
}
// validate & update site terms if it's set on the form
@ -233,7 +233,7 @@ func (p *Processor) InstancePatch(ctx context.Context, form *apimodel.InstanceSe
return nil, gtserror.NewErrorBadRequest(err, err.Error())
}
updatingColumns = append(updatingColumns, "terms")
instance.Terms = text.SanitizeHTML(*form.Terms) // html is OK in site terms, but we should sanitize it
instance.Terms = text.SanitizeToHTML(*form.Terms) // html is OK in site terms, but we should sanitize it
}
var updateInstanceAccount bool