From f6d44107d35e4ccbea67617d707bbd01f4df1615 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 23 Jan 2023 17:54:18 +0000 Subject: [PATCH] Check for dangerous markup within image license and creator --- webapp_utils.py | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/webapp_utils.py b/webapp_utils.py index fdea01ef0..e3548ad25 100644 --- a/webapp_utils.py +++ b/webapp_utils.py @@ -11,6 +11,7 @@ import os from shutil import copyfile from collections import OrderedDict from session import get_json +from utils import dangerous_markup from utils import acct_handle_dir from utils import remove_id_ending from utils import get_attachment_property_value @@ -1237,21 +1238,23 @@ def get_post_attachments_as_html(base_dir: str, continue media_license = '' if attach.get('schema:license'): - if not is_filtered(base_dir, nickname, domain, - attach['schema:license'], - system_language): - if '://' not in attach['schema:license']: - if len(attach['schema:license']) < 60: + if not dangerous_markup(attach['schema:license'], False): + if not is_filtered(base_dir, nickname, domain, + attach['schema:license'], + system_language): + if '://' not in attach['schema:license']: + if len(attach['schema:license']) < 60: + media_license = attach['schema:license'] + else: media_license = attach['schema:license'] - else: - media_license = attach['schema:license'] media_creator = '' if attach.get('schema:creator'): - if not is_filtered(base_dir, nickname, domain, - attach['schema:creator'], - system_language): - if len(attach['schema:creator']) < 60: - media_creator = attach['schema:creator'] + if len(attach['schema:creator']) < 60: + if not dangerous_markup(attach['schema:creator'], False): + if not is_filtered(base_dir, nickname, domain, + attach['schema:creator'], + system_language): + media_creator = attach['schema:creator'] media_type = attach['mediaType'] image_description = ''