Remove dangerous markup from remote hashtag posts

2023-01-07 11:19:57 +00:00 · 2023-01-07 11:19:57 +00:00 · 179f4341ee
parent cf8505c85a
commit 179f4341ee
2 changed files with 23 additions and 3 deletions
--- a/conversation.py
+++ b/conversation.py
@ -179,12 +179,13 @@ def download_conversation_posts(session, http_prefix: str, base_dir: str,
                if dangerous_markup(post_json['object'][field_name], False):
                    post_json['object'][field_name] = \
                        remove_html(post_json['object'][field_name])
-            if post_json['object'].get(field_name + 'Map'):
-                map_dict = post_json['object'][field_name + 'Map'].items()
+            map_name = field_name + 'Map'
+            if post_json['object'].get(map_name):
+                map_dict = post_json['object'][map_name].items()
                for lang, content in map_dict:
                    if dangerous_markup(content, False):
                        content = remove_html(content)
-                        post_json['object'][field_name + 'Map'][lang] = content
+                        post_json['object'][map_name][lang] = content

        conversation_view = [post_json] + conversation_view
        if not post_json['object'].get('inReplyTo'):
--- a/webapp_search.py
+++ b/webapp_search.py
@ -11,6 +11,8 @@ import os
 from shutil import copyfile
 import urllib.parse
 from datetime import datetime
+from utils import dangerous_markup
+from utils import remove_html
 from utils import remove_id_ending
 from utils import has_object_dict
 from utils import acct_handle_dir
@ -1191,6 +1193,23 @@ def html_hashtag_search_remote(nickname: str, domain: str, port: int,
        if not is_public_post(post_json_object):
            print('Hashtag post is not public ' + post_id)
            continue
+
+        # remove any dangerous markup
+        for field_name in ('content', 'summary'):
+            if post_json_object['object'].get(field_name):
+                if dangerous_markup(post_json_object['object'][field_name],
+                                    False):
+                    post_json_object['object'][field_name] = \
+                        remove_html(post_json_object['object'][field_name])
+            map_name = field_name + 'Map'
+            if post_json_object['object'].get(map_name):
+                map_dict = post_json_object['object'][map_name].items()
+                for lang, content in map_dict:
+                    if dangerous_markup(content, False):
+                        content = remove_html(content)
+                        post_json_object['object'][map_name][lang] = \
+                            content
+
        show_individual_post_icons = False
        allow_deletion = False
        show_repeats = show_individual_post_icons