forked from indymedia/epicyon
Avoid arbitrary html being added to profile fields
parent
70528e5f09
commit
d3a7a2abf4
|
@ -48,6 +48,8 @@ def setDonationUrl(actorJson: {}, donateUrl: str) -> None:
|
|||
notUrl = True
|
||||
if ' ' in donateUrl:
|
||||
notUrl = True
|
||||
if '<' in donateUrl:
|
||||
notUrl = True
|
||||
|
||||
if not actorJson.get('attachment'):
|
||||
actorJson['attachment'] = []
|
||||
|
|
2
jami.py
2
jami.py
|
@ -53,6 +53,8 @@ def setJamiAddress(actorJson: {}, jamiAddress: str) -> None:
|
|||
notJamiAddress = True
|
||||
if ',' in jamiAddress:
|
||||
notJamiAddress = True
|
||||
if '<' in jamiAddress:
|
||||
notJamiAddress = True
|
||||
|
||||
if not actorJson.get('attachment'):
|
||||
actorJson['attachment'] = []
|
||||
|
|
|
@ -63,6 +63,8 @@ def setMatrixAddress(actorJson: {}, matrixAddress: str) -> None:
|
|||
return
|
||||
if '"' in matrixAddress:
|
||||
return
|
||||
if '<' in matrixAddress:
|
||||
return
|
||||
if ':' not in matrixAddress:
|
||||
return
|
||||
|
||||
|
|
4
pgp.py
4
pgp.py
|
@ -83,6 +83,8 @@ def setEmailAddress(actorJson: {}, emailAddress: str) -> None:
|
|||
notEmailAddress = True
|
||||
if '.' not in emailAddress:
|
||||
notEmailAddress = True
|
||||
if '<' in emailAddress:
|
||||
notEmailAddress = True
|
||||
if emailAddress.startswith('@'):
|
||||
notEmailAddress = True
|
||||
|
||||
|
@ -134,6 +136,8 @@ def setPGPpubKey(actorJson: {}, PGPpubKey: str) -> None:
|
|||
else:
|
||||
if '--BEGIN PGP PUBLIC KEY' not in PGPpubKey:
|
||||
removeKey = True
|
||||
if '<' in PGPpubKey:
|
||||
removeKey = True
|
||||
|
||||
if not actorJson.get('attachment'):
|
||||
actorJson['attachment'] = []
|
||||
|
|
2
ssb.py
2
ssb.py
|
@ -52,6 +52,8 @@ def setSSBAddress(actorJson: {}, ssbAddress: str) -> None:
|
|||
notSSBAddress = True
|
||||
if ',' in ssbAddress:
|
||||
notSSBAddress = True
|
||||
if '<' in ssbAddress:
|
||||
notSSBAddress = True
|
||||
|
||||
if not actorJson.get('attachment'):
|
||||
actorJson['attachment'] = []
|
||||
|
|
2
tox.py
2
tox.py
|
@ -57,6 +57,8 @@ def setToxAddress(actorJson: {}, toxAddress: str) -> None:
|
|||
notToxAddress = True
|
||||
if ',' in toxAddress:
|
||||
notToxAddress = True
|
||||
if '<' in toxAddress:
|
||||
notToxAddress = True
|
||||
|
||||
if not actorJson.get('attachment'):
|
||||
actorJson['attachment'] = []
|
||||
|
|
|
@ -9,6 +9,7 @@ __status__ = "Production"
|
|||
import os
|
||||
from collections import OrderedDict
|
||||
from session import getJson
|
||||
from utils import removeHtml
|
||||
from utils import getImageExtensions
|
||||
from utils import getProtocolPrefixes
|
||||
from utils import loadJson
|
||||
|
@ -268,7 +269,7 @@ def setActorPropertyUrl(actorJson: {}, propertyName: str, url: str) -> None:
|
|||
def setBlogAddress(actorJson: {}, blogAddress: str) -> None:
|
||||
"""Sets an blog address for the given actor
|
||||
"""
|
||||
setActorPropertyUrl(actorJson, 'Blog', blogAddress)
|
||||
setActorPropertyUrl(actorJson, 'Blog', removeHtml(blogAddress))
|
||||
|
||||
|
||||
def updateAvatarImageCache(session, baseDir: str, httpPrefix: str,
|
||||
|
|
Loading…
Reference in New Issue