sanitize html for statuses + instance

2025-12-19 08:33:00 -06:00 · 2021-07-13 15:49:15 +02:00 · 2021-07-13 15:49:15 +02:00 · a0252502f5
commit a0252502f5
parent 846057f0d6
7 changed files with 86 additions and 27 deletions
--- a/internal/processing/status/create.go
+++ b/internal/processing/status/create.go
@ -29,7 +29,7 @@ func (p *processor) Create(account *gtsmodel.Account, application *gtsmodel.Appl
 		Local:                    true,
 		AccountID:                account.ID,
 		AccountURI:               account.URI,
-		ContentWarning:           form.SpoilerText,
+		ContentWarning:           util.RemoveHTML(form.SpoilerText),
 		ActivityStreamsType:      gtsmodel.ActivityStreamsNote,
 		Sensitive:                form.Sensitive,
 		Language:                 form.Language,
--- a/internal/processing/status/util.go
+++ b/internal/processing/status/util.go
@ -264,6 +264,10 @@ func (p *processor) processContent(form *apimodel.AdvancedStatusCreateForm, acco
 	// replace newlines with breaks
 	content = strings.ReplaceAll(content, "\n", "<br />")

-	status.Content = content
+	// sanitize html to remove any dodgy scripts or other disallowed elements
+	clean := util.SanitizeHTML(content)
+
+	// set the content as the shiny clean parsed content
+	status.Content = clean
 	return nil
 }