From 179f4341ee87f80bc2856d3993db2c2692d28c0c Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@libreserver.org>
Date: Sat, 7 Jan 2023 11:19:57 +0000
Subject: [PATCH] Remove dangerous markup from remote hashtag posts

---
 conversation.py  |  7 ++++---
 webapp_search.py | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/conversation.py b/conversation.py
index f8bafb94c..58b79ac94 100644
--- a/conversation.py
+++ b/conversation.py
@@ -179,12 +179,13 @@ def download_conversation_posts(session, http_prefix: str, base_dir: str,
                 if dangerous_markup(post_json['object'][field_name], False):
                     post_json['object'][field_name] = \
                         remove_html(post_json['object'][field_name])
-            if post_json['object'].get(field_name + 'Map'):
-                map_dict = post_json['object'][field_name + 'Map'].items()
+            map_name = field_name + 'Map'
+            if post_json['object'].get(map_name):
+                map_dict = post_json['object'][map_name].items()
                 for lang, content in map_dict:
                     if dangerous_markup(content, False):
                         content = remove_html(content)
-                        post_json['object'][field_name + 'Map'][lang] = content
+                        post_json['object'][map_name][lang] = content
 
         conversation_view = [post_json] + conversation_view
         if not post_json['object'].get('inReplyTo'):
diff --git a/webapp_search.py b/webapp_search.py
index 86dbf3de5..35d721e9a 100644
--- a/webapp_search.py
+++ b/webapp_search.py
@@ -11,6 +11,8 @@ import os
 from shutil import copyfile
 import urllib.parse
 from datetime import datetime
+from utils import dangerous_markup
+from utils import remove_html
 from utils import remove_id_ending
 from utils import has_object_dict
 from utils import acct_handle_dir
@@ -1191,6 +1193,23 @@ def html_hashtag_search_remote(nickname: str, domain: str, port: int,
         if not is_public_post(post_json_object):
             print('Hashtag post is not public ' + post_id)
             continue
+
+        # remove any dangerous markup
+        for field_name in ('content', 'summary'):
+            if post_json_object['object'].get(field_name):
+                if dangerous_markup(post_json_object['object'][field_name],
+                                    False):
+                    post_json_object['object'][field_name] = \
+                        remove_html(post_json_object['object'][field_name])
+            map_name = field_name + 'Map'
+            if post_json_object['object'].get(map_name):
+                map_dict = post_json_object['object'][map_name].items()
+                for lang, content in map_dict:
+                    if dangerous_markup(content, False):
+                        content = remove_html(content)
+                        post_json_object['object'][map_name][lang] = \
+                            content
+
         show_individual_post_icons = False
         allow_deletion = False
         show_repeats = show_individual_post_icons