sanitize html for statuses + instance

2025-12-20 21:56:15 -06:00 · 2021-07-13 15:49:15 +02:00 · 2021-07-13 15:49:15 +02:00 · a0252502f5
commit a0252502f5
parent 846057f0d6
7 changed files with 86 additions and 27 deletions
--- a/internal/processing/instance.go
+++ b/internal/processing/instance.go
@ -60,7 +60,7 @@ func (p *processor) InstancePatch(form *apimodel.InstanceSettingsUpdateRequest)
 		if err := util.ValidateSiteTitle(*form.Title); err != nil {
 			return nil, gtserror.NewErrorBadRequest(err, fmt.Sprintf("site title invalid: %s", err))
 		}
-		i.Title = *form.Title
+		i.Title = util.RemoveHTML(*form.Title) // don't allow html in site title
 	}

 	// validate & update site contact account if it's set on the form
@ -110,7 +110,7 @@ func (p *processor) InstancePatch(form *apimodel.InstanceSettingsUpdateRequest)
 		if err := util.ValidateSiteShortDescription(*form.ShortDescription); err != nil {
 			return nil, gtserror.NewErrorBadRequest(err, err.Error())
 		}
-		i.ShortDescription = *form.ShortDescription
+		i.ShortDescription = util.SanitizeHTML(*form.ShortDescription) // html is OK in site description, but we should sanitize it
 	}

 	// validate & update site description if it's set on the form
@ -118,7 +118,7 @@ func (p *processor) InstancePatch(form *apimodel.InstanceSettingsUpdateRequest)
 		if err := util.ValidateSiteDescription(*form.Description); err != nil {
 			return nil, gtserror.NewErrorBadRequest(err, err.Error())
 		}
-		i.Description = *form.Description
+		i.Description = util.SanitizeHTML(*form.Description) // html is OK in site description, but we should sanitize it
 	}

 	// validate & update site terms if it's set on the form
@ -126,7 +126,7 @@ func (p *processor) InstancePatch(form *apimodel.InstanceSettingsUpdateRequest)
 		if err := util.ValidateSiteTerms(*form.Terms); err != nil {
 			return nil, gtserror.NewErrorBadRequest(err, err.Error())
 		}
-		i.Terms = *form.Terms
+		i.Terms = util.SanitizeHTML(*form.Terms) // html is OK in site terms, but we should sanitize it
 	}

 	// process avatar if provided
--- a/internal/processing/status/create.go
+++ b/internal/processing/status/create.go
@ -29,7 +29,7 @@ func (p *processor) Create(account *gtsmodel.Account, application *gtsmodel.Appl
 		Local:                    true,
 		AccountID:                account.ID,
 		AccountURI:               account.URI,
-		ContentWarning:           form.SpoilerText,
+		ContentWarning:           util.RemoveHTML(form.SpoilerText),
 		ActivityStreamsType:      gtsmodel.ActivityStreamsNote,
 		Sensitive:                form.Sensitive,
 		Language:                 form.Language,
--- a/internal/processing/status/util.go
+++ b/internal/processing/status/util.go
@ -264,6 +264,10 @@ func (p *processor) processContent(form *apimodel.AdvancedStatusCreateForm, acco
 	// replace newlines with breaks
 	content = strings.ReplaceAll(content, "\n", "<br />")

-	status.Content = content
+	// sanitize html to remove any dodgy scripts or other disallowed elements
+	clean := util.SanitizeHTML(content)
+
+	// set the content as the shiny clean parsed content
+	status.Content = clean
 	return nil
 }
--- a/internal/util/sanitize.go
+++ b/internal/util/sanitize.go
@ -0,0 +1,50 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package util
+
+import (
+	"github.com/microcosm-cc/bluemonday"
+)
+
+// '[A]llows a broad selection of HTML elements and attributes that are safe for user generated content.
+// Note that this policy does not allow iframes, object, embed, styles, script, etc.
+// An example usage scenario would be blog post bodies where a variety of formatting is expected along with the potential for TABLEs and IMGs.'
+//
+// Source: https://github.com/microcosm-cc/bluemonday#usage
+var regular *bluemonday.Policy = bluemonday.UGCPolicy().
+	RequireNoReferrerOnLinks(true).
+	RequireNoFollowOnLinks(true).
+	RequireCrossOriginAnonymous(true)
+
+// '[C]an be thought of as equivalent to stripping all HTML elements and their attributes as it has nothing on its allowlist.
+// An example usage scenario would be blog post titles where HTML tags are not expected at all
+// and if they are then the elements and the content of the elements should be stripped. This is a very strict policy.'
+//
+// Source: https://github.com/microcosm-cc/bluemonday#usage
+var strict *bluemonday.Policy = bluemonday.StrictPolicy()
+
+// SanitizeHTML cleans up HTML in the given string, allowing through only safe HTML elements.
+func SanitizeHTML(in string) string {
+	return regular.Sanitize(in)
+}
+
+// RemoveHTML removes all HTML from the given string.
+func RemoveHTML(in string) string {
+	return strict.Sanitize(in)
+}