indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Neutralise any harmful markup

merge-requests/30/head
Bob Mottram 2024-06-21 21:59:12 +01:00
parent d3aaed92b4
commit c5dce8151b
2 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
inbox.py
View File

@ -18,6 +18,7 @@ from languages import understood_post_language
from like import update_likes_collection from like import update_likes_collection
from reaction import update_reaction_collection from reaction import update_reaction_collection
from reaction import valid_emoji_content from reaction import valid_emoji_content
from utils import harmless_markup
from utils import quote_toots_allowed from utils import quote_toots_allowed
from utils import get_post_attachments from utils import get_post_attachments
from utils import lines_in_file from utils import lines_in_file
@ -1685,6 +1686,7 @@ def _receive_edit_to_post(recent_posts_cache: {}, message_json: {},
print('EDITPOST: ' + message_id + ' has already expired') print('EDITPOST: ' + message_id + ' has already expired')
return False return False
convert_post_content_to_html(message_json) convert_post_content_to_html(message_json)
harmless_markup(message_json)
if not _valid_post_content(base_dir, nickname, domain, if not _valid_post_content(base_dir, nickname, domain,
message_json, max_mentions, max_emoji, message_json, max_mentions, max_emoji,
allow_local_network_access, debug, allow_local_network_access, debug,
@ -4849,6 +4851,7 @@ def _former_representations_to_edits(base_dir: str,
prev_post_json['object']['atomUri'] = prev_post_id prev_post_json['object']['atomUri'] = prev_post_id
# validate the previous post # validate the previous post
harmless_markup(prev_post_json)
if not _valid_post_content(base_dir, nickname, domain, if not _valid_post_content(base_dir, nickname, domain,
prev_post_json, prev_post_json,
max_mentions, max_emoji, max_mentions, max_emoji,
@ -5251,6 +5254,10 @@ def _inbox_after_initial(server, inbox_start_time,
json_obj = None json_obj = None
domain_full = get_full_domain(domain, port) domain_full = get_full_domain(domain, port)
convert_post_content_to_html(post_json_object) convert_post_content_to_html(post_json_object)
# neutralise anything harmful
harmless_markup(post_json_object)
if _valid_post_content(base_dir, nickname, domain, if _valid_post_content(base_dir, nickname, domain,
post_json_object, max_mentions, max_emoji, post_json_object, max_mentions, max_emoji,
allow_local_network_access, debug, allow_local_network_access, debug,

9
utils.py
View File

@ -5042,6 +5042,14 @@ def harmless_markup(post_json_object: {}) -> None:
"""render harmless any dangerous markup """render harmless any dangerous markup
""" """
for field_name in ('content', 'summary'): for field_name in ('content', 'summary'):
if post_json_object.get(field_name):
if dangerous_markup(post_json_object[field_name],
False, ['pre']):
post_json_object[field_name] = \
remove_html(post_json_object[field_name])
post_json_object[field_name] = \
remove_markup_tag(post_json_object[field_name], 'pre')
if post_json_object['object'].get(field_name): if post_json_object['object'].get(field_name):
if dangerous_markup(post_json_object['object'][field_name], if dangerous_markup(post_json_object['object'][field_name],
False, ['pre']): False, ['pre']):
@ -5050,6 +5058,7 @@ def harmless_markup(post_json_object: {}) -> None:
post_json_object['object'][field_name] = \ post_json_object['object'][field_name] = \
remove_markup_tag(post_json_object['object'][field_name], remove_markup_tag(post_json_object['object'][field_name],
'pre') 'pre')
map_name = field_name + 'Map' map_name = field_name + 'Map'
if post_json_object['object'].get(map_name): if post_json_object['object'].get(map_name):
if isinstance(post_json_object['object'][map_name], dict): if isinstance(post_json_object['object'][map_name], dict):