More validation on movedTo

daemon_post_profile.py

@@ -1752,7 +1752,8 @@ def _profile_post_moved(actor_json: {}, fields: {},
     for fieldname in fieldnames:
         moved_to = ''
         if actor_json.get(fieldname):
-            moved_to = actor_json[fieldname]
+            if isinstance(actor_json[fieldname], str):
+                moved_to = remove_html(actor_json[fieldname])
 
         if fields.get(fieldname):
             if fields[fieldname] != moved_to and \

daemon_utils.py

@@ -671,13 +671,15 @@ def show_person_options(self, calling_domain: str, path: str,
                                   self.server.person_cache)
         if actor_json:
             if actor_json.get('movedTo'):
-                moved_to = actor_json['movedTo']
+                if isinstance(actor_json['movedTo'], str):
-                if '"' in moved_to:
+                    moved_to = remove_html(actor_json['movedTo'])
-                    moved_to = moved_to.split('"')[1]
+                    if '"' in moved_to:
+                        moved_to = moved_to.split('"')[1]
             elif actor_json.get('copiedTo'):
-                moved_to = actor_json['copiedTo']
+                if isinstance(actor_json['copiedTo'], str):
-                if '"' in moved_to:
+                    moved_to = remove_html(actor_json['copiedTo'])
-                    moved_to = moved_to.split('"')[1]
+                    if '"' in moved_to:
+                        moved_to = moved_to.split('"')[1]
             if actor_json.get('type'):
                 if actor_json['type'] == 'Group':
                     is_group = True

desktop_client.py

@@ -1002,10 +1002,12 @@ def _desktop_show_actor(http_prefix: str,
     _say_command(say_str, say_str, screenreader, system_language, espeak)
     print(actor)
     if actor_json.get('movedTo'):
-        say_str = 'Moved to ' + html.unescape(actor_json['movedTo'])
+        moved_url = html.unescape(actor_json['movedTo'])
+        say_str = 'Moved to ' + remove_html(moved_url)
         _say_command(say_str, say_str, screenreader, system_language, espeak)
     elif actor_json.get('copiedTo'):
-        say_str = 'Copied to ' + html.unescape(actor_json['copiedTo'])
+        moved_url = html.unescape(actor_json['copiedTo'])
+        say_str = 'Copied to ' + remove_html(moved_url)
         _say_command(say_str, say_str, screenreader, system_language, espeak)
     if actor_json.get('alsoKnownAs'):
         also_known_as_str = ''

inbox_receive.py

@@ -250,9 +250,11 @@ def _person_receive_update(base_dir: str,
 
     person_has_moved_url = None
     if person_json.get('movedTo'):
-        person_has_moved_url = person_json['movedTo']
+        if isinstance(person_json['movedTo'], str):
+            person_has_moved_url = remove_html(person_json['movedTo'])
     elif person_json.get('copiedTo'):
-        person_has_moved_url = person_json['copiedTo']
+        if isinstance(person_json['copiedTo'], str):
+            person_has_moved_url = remove_html(person_json['copiedTo'])
 
     if person_has_moved_url:
         prev_domain_full = None

migrate.py

@@ -9,6 +9,7 @@ __module_group__ = "Core"
 
 import os
 from flags import has_group_type
+from utils import remove_html
 from utils import data_dir
 from utils import is_account_dir
 from utils import get_nickname_from_actor
@@ -114,10 +115,15 @@ def _update_moved_handle(base_dir: str, nickname: str, domain: str,
     if not person_json.get('movedTo') and \
        not person_json.get('copiedTo'):
         return ctr
+    moved_to_url = ''
     if person_json.get('movedTo'):
-        moved_to_url = person_json['movedTo']
+        if isinstance(person_json['movedTo'], str):
+            moved_to_url = remove_html(person_json['movedTo'])
     else:
-        moved_to_url = person_json['copiedTo']
+        if isinstance(person_json['copiedTo'], str):
+            moved_to_url = remove_html(person_json['copiedTo'])
+    if not moved_to_url:
+        return ctr
     if '://' not in moved_to_url:
         return ctr
     if '.' not in moved_to_url:

person.py

@@ -359,10 +359,15 @@ def get_actor_move_json(actor_json: {}) -> {}:
     if not actor_json.get('movedTo') and \
        not actor_json.get('copiedTo'):
         return None
+    moved_url = ''
     if actor_json.get('movedTo'):
-        moved_url = actor_json['movedTo']
+        if isinstance(actor_json['movedTo'], str):
+            moved_url = remove_html(actor_json['movedTo'])
     else:
-        moved_url = actor_json['copiedTo']
+        if isinstance(actor_json['copiedTo'], str):
+            moved_url = remove_html(actor_json['copiedTo'])
+    if not moved_url:
+        return None
     if '://' not in moved_url or \
        '.' not in moved_url:
         return None

relationships.py

@@ -9,6 +9,7 @@ __module_group__ = "Core"
 
 import os
 from flags import is_dormant
+from utils import remove_html
 from utils import data_dir
 from utils import get_user_paths
 from utils import acct_dir
@@ -280,10 +281,15 @@ def update_moved_actors(base_dir: str, debug: bool) -> None:
         if not actor_json.get('movedTo'):
             if not actor_json.get('copiedTo'):
                 continue
+        moved_url = ''
         if actor_json.get('movedTo'):
-            moved_url = actor_json['movedTo']
+            if not isinstance(actor_json['movedTo'], str):
+                moved_url = remove_html(actor_json['movedTo'])
         else:
-            moved_url = actor_json['copiedTo']
+            if not isinstance(actor_json['copiedTo'], str):
+                moved_url = remove_html(actor_json['copiedTo'])
+        if not moved_url:
+            continue
         nickname = get_nickname_from_actor(moved_url)
         if not nickname:
             continue

webapp_profile.py

@@ -352,16 +352,16 @@ def html_profile_after_search(authorized: bool,
     moved_to = ''
     if profile_json.get('movedTo') or profile_json.get('copiedTo'):
         if profile_json.get('movedTo'):
-            moved_to = profile_json['movedTo']
+            if not isinstance(profile_json['movedTo'], str):
+                moved_to = remove_html(profile_json['movedTo'])
         else:
-            moved_to = profile_json['copiedTo']
+            if not isinstance(profile_json['copiedTo'], str):
-        if isinstance(moved_to, str):
+                moved_to = remove_html(profile_json['copiedTo'])
+        if moved_to:
             if '"' in moved_to:
                 moved_to = moved_to.split('"')[1]
-            moved_to = remove_html(moved_to)
+            moved_to = moved_to
             display_name += ' ⌂'
-        else:
-            moved_to = ''
 
     you_follow = \
         is_following_actor(base_dir,
@@ -1493,10 +1493,12 @@ def html_profile(signing_priv_key_pem: str,
     moved_to = ''
     if profile_json.get('movedTo') or profile_json.get('copiedTo'):
         if profile_json.get('movedTo'):
-            moved_to = profile_json['movedTo']
+            if isinstance(profile_json['movedTo'], str):
+                moved_to = remove_html(profile_json['movedTo'])
         else:
-            moved_to = profile_json['copiedTo']
+            if isinstance(profile_json['copiedTo'], str):
-        if isinstance(moved_to, str):
+                moved_to = remove_html(profile_json['copiedTo'])
+        if moved_to:
             if '"' in moved_to:
                 moved_to = moved_to.split('"')[1]
         else:
@@ -3481,9 +3483,11 @@ def html_edit_profile(server, translate: {},
     actor_json = load_json(actor_filename)
     if actor_json:
         if actor_json.get('movedTo'):
-            moved_to = actor_json['movedTo']
+            if isinstance(actor_json['movedTo'], str):
+                moved_to = remove_html(actor_json['movedTo'])
         elif actor_json.get('copiedTo'):
-            moved_to = actor_json['copiedTo']
+            if isinstance(actor_json['copiedTo'], str):
+                moved_to = remove_html(actor_json['copiedTo'])
         featured_hashtags = get_featured_hashtags(actor_json)
         donate_url = get_donation_url(actor_json)
         website_url = get_website(actor_json, translate)