sanitize html for statuses + instance

2025-12-17 16:23:02 -06:00 · 2021-07-13 15:49:15 +02:00 · 2021-07-13 15:49:15 +02:00 · a0252502f5
commit a0252502f5
parent 846057f0d6
7 changed files with 86 additions and 27 deletions
--- a/internal/processing/instance.go
+++ b/internal/processing/instance.go
@ -60,7 +60,7 @@ func (p *processor) InstancePatch(form *apimodel.InstanceSettingsUpdateRequest)
 		if err := util.ValidateSiteTitle(*form.Title); err != nil {
 			return nil, gtserror.NewErrorBadRequest(err, fmt.Sprintf("site title invalid: %s", err))
 		}
-		i.Title = *form.Title
+		i.Title = util.RemoveHTML(*form.Title) // don't allow html in site title
 	}

 	// validate & update site contact account if it's set on the form
@ -110,7 +110,7 @@ func (p *processor) InstancePatch(form *apimodel.InstanceSettingsUpdateRequest)
 		if err := util.ValidateSiteShortDescription(*form.ShortDescription); err != nil {
 			return nil, gtserror.NewErrorBadRequest(err, err.Error())
 		}
-		i.ShortDescription = *form.ShortDescription
+		i.ShortDescription = util.SanitizeHTML(*form.ShortDescription) // html is OK in site description, but we should sanitize it
 	}

 	// validate & update site description if it's set on the form
@ -118,7 +118,7 @@ func (p *processor) InstancePatch(form *apimodel.InstanceSettingsUpdateRequest)
 		if err := util.ValidateSiteDescription(*form.Description); err != nil {
 			return nil, gtserror.NewErrorBadRequest(err, err.Error())
 		}
-		i.Description = *form.Description
+		i.Description = util.SanitizeHTML(*form.Description) // html is OK in site description, but we should sanitize it
 	}

 	// validate & update site terms if it's set on the form
@ -126,7 +126,7 @@ func (p *processor) InstancePatch(form *apimodel.InstanceSettingsUpdateRequest)
 		if err := util.ValidateSiteTerms(*form.Terms); err != nil {
 			return nil, gtserror.NewErrorBadRequest(err, err.Error())
 		}
-		i.Terms = *form.Terms
+		i.Terms = util.SanitizeHTML(*form.Terms) // html is OK in site terms, but we should sanitize it
 	}

 	// process avatar if provided
--- a/internal/processing/status/create.go
+++ b/internal/processing/status/create.go
@ -29,7 +29,7 @@ func (p *processor) Create(account *gtsmodel.Account, application *gtsmodel.Appl
 		Local:                    true,
 		AccountID:                account.ID,
 		AccountURI:               account.URI,
-		ContentWarning:           form.SpoilerText,
+		ContentWarning:           util.RemoveHTML(form.SpoilerText),
 		ActivityStreamsType:      gtsmodel.ActivityStreamsNote,
 		Sensitive:                form.Sensitive,
 		Language:                 form.Language,
--- a/internal/processing/status/util.go
+++ b/internal/processing/status/util.go
@ -264,6 +264,10 @@ func (p *processor) processContent(form *apimodel.AdvancedStatusCreateForm, acco
 	// replace newlines with breaks
 	content = strings.ReplaceAll(content, "\n", "<br />")

-	status.Content = content
+	// sanitize html to remove any dodgy scripts or other disallowed elements
+	clean := util.SanitizeHTML(content)
+
+	// set the content as the shiny clean parsed content
+	status.Content = clean
 	return nil
 }