fix: content sanitization in getimage endpoint (#2241)

2025-06-05 22:09:59 +02:00 · 2023-09-18 00:45:26 -04:00
parent b22d236b19
commit 97b434722c
4 changed files with 36 additions and 12 deletions
--- a/plugin/http-getter/image.go
+++ b/plugin/http-getter/image.go
@@ -6,6 +6,8 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+
+	"github.com/microcosm-cc/bluemonday"
 )

 type Image struct {
@@ -37,9 +39,21 @@ func GetImage(urlStr string) (*Image, error) {
 		return nil, err
 	}

+	bodyBytes, err = SanitizeContent(bodyBytes)
+	if err != nil {
+		return nil, err
+	}
+
 	image := &Image{
 		Blob:      bodyBytes,
 		Mediatype: mediatype,
 	}
 	return image, nil
 }
+
+func SanitizeContent(content []byte) ([]byte, error) {
+	bodyString := string(content)
+
+	bm := bluemonday.UGCPolicy()
+	return []byte(bm.Sanitize(bodyString)), nil
+}