Neutralise any harmful markup

2024-06-21 21:59:12 +01:00 · 2024-06-21 21:59:12 +01:00 · c5dce8151b
parent d3aaed92b4
commit c5dce8151b
2 changed files with 16 additions and 0 deletions
--- a/inbox.py
+++ b/inbox.py
@ -18,6 +18,7 @@ from languages import understood_post_language
 from like import update_likes_collection
 from reaction import update_reaction_collection
 from reaction import valid_emoji_content
+from utils import harmless_markup
 from utils import quote_toots_allowed
 from utils import get_post_attachments
 from utils import lines_in_file
@ -1685,6 +1686,7 @@ def _receive_edit_to_post(recent_posts_cache: {}, message_json: {},
        print('EDITPOST: ' + message_id + ' has already expired')
        return False
    convert_post_content_to_html(message_json)
+    harmless_markup(message_json)
    if not _valid_post_content(base_dir, nickname, domain,
                               message_json, max_mentions, max_emoji,
                               allow_local_network_access, debug,
@ -4849,6 +4851,7 @@ def _former_representations_to_edits(base_dir: str,
                prev_post_json['object']['atomUri'] = prev_post_id

        # validate the previous post
+        harmless_markup(prev_post_json)
        if not _valid_post_content(base_dir, nickname, domain,
                                   prev_post_json,
                                   max_mentions, max_emoji,
@ -5251,6 +5254,10 @@ def _inbox_after_initial(server, inbox_start_time,
    json_obj = None
    domain_full = get_full_domain(domain, port)
    convert_post_content_to_html(post_json_object)
+
+    # neutralise anything harmful
+    harmless_markup(post_json_object)
+
    if _valid_post_content(base_dir, nickname, domain,
                           post_json_object, max_mentions, max_emoji,
                           allow_local_network_access, debug,
--- a/utils.py
+++ b/utils.py
@ -5042,6 +5042,14 @@ def harmless_markup(post_json_object: {}) -> None:
    """render harmless any dangerous markup
    """
    for field_name in ('content', 'summary'):
+        if post_json_object.get(field_name):
+            if dangerous_markup(post_json_object[field_name],
+                                False, ['pre']):
+                post_json_object[field_name] = \
+                    remove_html(post_json_object[field_name])
+            post_json_object[field_name] = \
+                remove_markup_tag(post_json_object[field_name], 'pre')
+
        if post_json_object['object'].get(field_name):
            if dangerous_markup(post_json_object['object'][field_name],
                                False, ['pre']):
@ -5050,6 +5058,7 @@ def harmless_markup(post_json_object: {}) -> None:
            post_json_object['object'][field_name] = \
                remove_markup_tag(post_json_object['object'][field_name],
                                  'pre')
+
        map_name = field_name + 'Map'
        if post_json_object['object'].get(map_name):
            if isinstance(post_json_object['object'][map_name], dict):