Avoid arbitrary html being added to profile fields

2020-12-12 15:31:28 +00:00 · 2020-12-12 15:31:28 +00:00 · d3a7a2abf4
parent 70528e5f09
commit d3a7a2abf4
8 changed files with 18 additions and 1 deletions
--- a/donate.py
+++ b/donate.py
@ -48,6 +48,8 @@ def setDonationUrl(actorJson: {}, donateUrl: str) -> None:
        notUrl = True
    if ' ' in donateUrl:
        notUrl = True
+    if '<' in donateUrl:
+        notUrl = True

    if not actorJson.get('attachment'):
        actorJson['attachment'] = []
--- a/jami.py
+++ b/jami.py
@ -53,6 +53,8 @@ def setJamiAddress(actorJson: {}, jamiAddress: str) -> None:
        notJamiAddress = True
    if ',' in jamiAddress:
        notJamiAddress = True
+    if '<' in jamiAddress:
+        notJamiAddress = True

    if not actorJson.get('attachment'):
        actorJson['attachment'] = []
--- a/matrix.py
+++ b/matrix.py
@ -63,6 +63,8 @@ def setMatrixAddress(actorJson: {}, matrixAddress: str) -> None:
        return
    if '"' in matrixAddress:
        return
+    if '<' in matrixAddress:
+        return
    if ':' not in matrixAddress:
        return

--- a/pgp.py
+++ b/pgp.py
@ -83,6 +83,8 @@ def setEmailAddress(actorJson: {}, emailAddress: str) -> None:
        notEmailAddress = True
    if '.' not in emailAddress:
        notEmailAddress = True
+    if '<' in emailAddress:
+        notEmailAddress = True
    if emailAddress.startswith('@'):
        notEmailAddress = True

@ -134,6 +136,8 @@ def setPGPpubKey(actorJson: {}, PGPpubKey: str) -> None:
    else:
        if '--BEGIN PGP PUBLIC KEY' not in PGPpubKey:
            removeKey = True
+        if '<' in PGPpubKey:
+            removeKey = True

    if not actorJson.get('attachment'):
        actorJson['attachment'] = []
--- a/ssb.py
+++ b/ssb.py
@ -52,6 +52,8 @@ def setSSBAddress(actorJson: {}, ssbAddress: str) -> None:
        notSSBAddress = True
    if ',' in ssbAddress:
        notSSBAddress = True
+    if '<' in ssbAddress:
+        notSSBAddress = True

    if not actorJson.get('attachment'):
        actorJson['attachment'] = []
--- a/tox.py
+++ b/tox.py
@ -57,6 +57,8 @@ def setToxAddress(actorJson: {}, toxAddress: str) -> None:
        notToxAddress = True
    if ',' in toxAddress:
        notToxAddress = True
+    if '<' in toxAddress:
+        notToxAddress = True

    if not actorJson.get('attachment'):
        actorJson['attachment'] = []
--- a/webapp_utils.py
+++ b/webapp_utils.py
@ -9,6 +9,7 @@ __status__ = "Production"
 import os
 from collections import OrderedDict
 from session import getJson
+from utils import removeHtml
 from utils import getImageExtensions
 from utils import getProtocolPrefixes
 from utils import loadJson
@ -268,7 +269,7 @@ def setActorPropertyUrl(actorJson: {}, propertyName: str, url: str) -> None:
 def setBlogAddress(actorJson: {}, blogAddress: str) -> None:
    """Sets an blog address for the given actor
    """
-    setActorPropertyUrl(actorJson, 'Blog', blogAddress)
+    setActorPropertyUrl(actorJson, 'Blog', removeHtml(blogAddress))


 def updateAvatarImageCache(session, baseDir: str, httpPrefix: str,
--- a/xmpp.py
+++ b/xmpp.py
@ -43,6 +43,8 @@ def setXmppAddress(actorJson: {}, xmppAddress: str) -> None:
        notXmppAddress = True
    if '"' in xmppAddress:
        notXmppAddress = True
+    if '<' in xmppAddress:
+        notXmppAddress = True

    if not actorJson.get('attachment'):
        actorJson['attachment'] = []