Avoid arbitrary html being added to profile fields

main
Bob Mottram 2020-12-12 15:31:28 +00:00
parent 70528e5f09
commit d3a7a2abf4
8 changed files with 18 additions and 1 deletions

View File

@ -48,6 +48,8 @@ def setDonationUrl(actorJson: {}, donateUrl: str) -> None:
notUrl = True
if ' ' in donateUrl:
notUrl = True
if '<' in donateUrl:
notUrl = True
if not actorJson.get('attachment'):
actorJson['attachment'] = []

View File

@ -53,6 +53,8 @@ def setJamiAddress(actorJson: {}, jamiAddress: str) -> None:
notJamiAddress = True
if ',' in jamiAddress:
notJamiAddress = True
if '<' in jamiAddress:
notJamiAddress = True
if not actorJson.get('attachment'):
actorJson['attachment'] = []

View File

@ -63,6 +63,8 @@ def setMatrixAddress(actorJson: {}, matrixAddress: str) -> None:
return
if '"' in matrixAddress:
return
if '<' in matrixAddress:
return
if ':' not in matrixAddress:
return

4
pgp.py
View File

@ -83,6 +83,8 @@ def setEmailAddress(actorJson: {}, emailAddress: str) -> None:
notEmailAddress = True
if '.' not in emailAddress:
notEmailAddress = True
if '<' in emailAddress:
notEmailAddress = True
if emailAddress.startswith('@'):
notEmailAddress = True
@ -134,6 +136,8 @@ def setPGPpubKey(actorJson: {}, PGPpubKey: str) -> None:
else:
if '--BEGIN PGP PUBLIC KEY' not in PGPpubKey:
removeKey = True
if '<' in PGPpubKey:
removeKey = True
if not actorJson.get('attachment'):
actorJson['attachment'] = []

2
ssb.py
View File

@ -52,6 +52,8 @@ def setSSBAddress(actorJson: {}, ssbAddress: str) -> None:
notSSBAddress = True
if ',' in ssbAddress:
notSSBAddress = True
if '<' in ssbAddress:
notSSBAddress = True
if not actorJson.get('attachment'):
actorJson['attachment'] = []

2
tox.py
View File

@ -57,6 +57,8 @@ def setToxAddress(actorJson: {}, toxAddress: str) -> None:
notToxAddress = True
if ',' in toxAddress:
notToxAddress = True
if '<' in toxAddress:
notToxAddress = True
if not actorJson.get('attachment'):
actorJson['attachment'] = []

View File

@ -9,6 +9,7 @@ __status__ = "Production"
import os
from collections import OrderedDict
from session import getJson
from utils import removeHtml
from utils import getImageExtensions
from utils import getProtocolPrefixes
from utils import loadJson
@ -268,7 +269,7 @@ def setActorPropertyUrl(actorJson: {}, propertyName: str, url: str) -> None:
def setBlogAddress(actorJson: {}, blogAddress: str) -> None:
"""Sets an blog address for the given actor
"""
setActorPropertyUrl(actorJson, 'Blog', blogAddress)
setActorPropertyUrl(actorJson, 'Blog', removeHtml(blogAddress))
def updateAvatarImageCache(session, baseDir: str, httpPrefix: str,

View File

@ -43,6 +43,8 @@ def setXmppAddress(actorJson: {}, xmppAddress: str) -> None:
notXmppAddress = True
if '"' in xmppAddress:
notXmppAddress = True
if '<' in xmppAddress:
notXmppAddress = True
if not actorJson.get('attachment'):
actorJson['attachment'] = []