forked from indymedia/epicyon
				
			Avoid arbitrary html being added to profile fields
							parent
							
								
									70528e5f09
								
							
						
					
					
						commit
						d3a7a2abf4
					
				|  | @ -48,6 +48,8 @@ def setDonationUrl(actorJson: {}, donateUrl: str) -> None: | ||||||
|         notUrl = True |         notUrl = True | ||||||
|     if ' ' in donateUrl: |     if ' ' in donateUrl: | ||||||
|         notUrl = True |         notUrl = True | ||||||
|  |     if '<' in donateUrl: | ||||||
|  |         notUrl = True | ||||||
| 
 | 
 | ||||||
|     if not actorJson.get('attachment'): |     if not actorJson.get('attachment'): | ||||||
|         actorJson['attachment'] = [] |         actorJson['attachment'] = [] | ||||||
|  |  | ||||||
							
								
								
									
										2
									
								
								jami.py
								
								
								
								
							
							
						
						
									
										2
									
								
								jami.py
								
								
								
								
							|  | @ -53,6 +53,8 @@ def setJamiAddress(actorJson: {}, jamiAddress: str) -> None: | ||||||
|         notJamiAddress = True |         notJamiAddress = True | ||||||
|     if ',' in jamiAddress: |     if ',' in jamiAddress: | ||||||
|         notJamiAddress = True |         notJamiAddress = True | ||||||
|  |     if '<' in jamiAddress: | ||||||
|  |         notJamiAddress = True | ||||||
| 
 | 
 | ||||||
|     if not actorJson.get('attachment'): |     if not actorJson.get('attachment'): | ||||||
|         actorJson['attachment'] = [] |         actorJson['attachment'] = [] | ||||||
|  |  | ||||||
|  | @ -63,6 +63,8 @@ def setMatrixAddress(actorJson: {}, matrixAddress: str) -> None: | ||||||
|         return |         return | ||||||
|     if '"' in matrixAddress: |     if '"' in matrixAddress: | ||||||
|         return |         return | ||||||
|  |     if '<' in matrixAddress: | ||||||
|  |         return | ||||||
|     if ':' not in matrixAddress: |     if ':' not in matrixAddress: | ||||||
|         return |         return | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
							
								
								
									
										4
									
								
								pgp.py
								
								
								
								
							
							
						
						
									
										4
									
								
								pgp.py
								
								
								
								
							|  | @ -83,6 +83,8 @@ def setEmailAddress(actorJson: {}, emailAddress: str) -> None: | ||||||
|         notEmailAddress = True |         notEmailAddress = True | ||||||
|     if '.' not in emailAddress: |     if '.' not in emailAddress: | ||||||
|         notEmailAddress = True |         notEmailAddress = True | ||||||
|  |     if '<' in emailAddress: | ||||||
|  |         notEmailAddress = True | ||||||
|     if emailAddress.startswith('@'): |     if emailAddress.startswith('@'): | ||||||
|         notEmailAddress = True |         notEmailAddress = True | ||||||
| 
 | 
 | ||||||
|  | @ -134,6 +136,8 @@ def setPGPpubKey(actorJson: {}, PGPpubKey: str) -> None: | ||||||
|     else: |     else: | ||||||
|         if '--BEGIN PGP PUBLIC KEY' not in PGPpubKey: |         if '--BEGIN PGP PUBLIC KEY' not in PGPpubKey: | ||||||
|             removeKey = True |             removeKey = True | ||||||
|  |         if '<' in PGPpubKey: | ||||||
|  |             removeKey = True | ||||||
| 
 | 
 | ||||||
|     if not actorJson.get('attachment'): |     if not actorJson.get('attachment'): | ||||||
|         actorJson['attachment'] = [] |         actorJson['attachment'] = [] | ||||||
|  |  | ||||||
							
								
								
									
										2
									
								
								ssb.py
								
								
								
								
							
							
						
						
									
										2
									
								
								ssb.py
								
								
								
								
							|  | @ -52,6 +52,8 @@ def setSSBAddress(actorJson: {}, ssbAddress: str) -> None: | ||||||
|         notSSBAddress = True |         notSSBAddress = True | ||||||
|     if ',' in ssbAddress: |     if ',' in ssbAddress: | ||||||
|         notSSBAddress = True |         notSSBAddress = True | ||||||
|  |     if '<' in ssbAddress: | ||||||
|  |         notSSBAddress = True | ||||||
| 
 | 
 | ||||||
|     if not actorJson.get('attachment'): |     if not actorJson.get('attachment'): | ||||||
|         actorJson['attachment'] = [] |         actorJson['attachment'] = [] | ||||||
|  |  | ||||||
							
								
								
									
										2
									
								
								tox.py
								
								
								
								
							
							
						
						
									
										2
									
								
								tox.py
								
								
								
								
							|  | @ -57,6 +57,8 @@ def setToxAddress(actorJson: {}, toxAddress: str) -> None: | ||||||
|         notToxAddress = True |         notToxAddress = True | ||||||
|     if ',' in toxAddress: |     if ',' in toxAddress: | ||||||
|         notToxAddress = True |         notToxAddress = True | ||||||
|  |     if '<' in toxAddress: | ||||||
|  |         notToxAddress = True | ||||||
| 
 | 
 | ||||||
|     if not actorJson.get('attachment'): |     if not actorJson.get('attachment'): | ||||||
|         actorJson['attachment'] = [] |         actorJson['attachment'] = [] | ||||||
|  |  | ||||||
|  | @ -9,6 +9,7 @@ __status__ = "Production" | ||||||
| import os | import os | ||||||
| from collections import OrderedDict | from collections import OrderedDict | ||||||
| from session import getJson | from session import getJson | ||||||
|  | from utils import removeHtml | ||||||
| from utils import getImageExtensions | from utils import getImageExtensions | ||||||
| from utils import getProtocolPrefixes | from utils import getProtocolPrefixes | ||||||
| from utils import loadJson | from utils import loadJson | ||||||
|  | @ -268,7 +269,7 @@ def setActorPropertyUrl(actorJson: {}, propertyName: str, url: str) -> None: | ||||||
| def setBlogAddress(actorJson: {}, blogAddress: str) -> None: | def setBlogAddress(actorJson: {}, blogAddress: str) -> None: | ||||||
|     """Sets an blog address for the given actor |     """Sets an blog address for the given actor | ||||||
|     """ |     """ | ||||||
|     setActorPropertyUrl(actorJson, 'Blog', blogAddress) |     setActorPropertyUrl(actorJson, 'Blog', removeHtml(blogAddress)) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| def updateAvatarImageCache(session, baseDir: str, httpPrefix: str, | def updateAvatarImageCache(session, baseDir: str, httpPrefix: str, | ||||||
|  |  | ||||||
							
								
								
									
										2
									
								
								xmpp.py
								
								
								
								
							
							
						
						
									
										2
									
								
								xmpp.py
								
								
								
								
							|  | @ -43,6 +43,8 @@ def setXmppAddress(actorJson: {}, xmppAddress: str) -> None: | ||||||
|         notXmppAddress = True |         notXmppAddress = True | ||||||
|     if '"' in xmppAddress: |     if '"' in xmppAddress: | ||||||
|         notXmppAddress = True |         notXmppAddress = True | ||||||
|  |     if '<' in xmppAddress: | ||||||
|  |         notXmppAddress = True | ||||||
| 
 | 
 | ||||||
|     if not actorJson.get('attachment'): |     if not actorJson.get('attachment'): | ||||||
|         actorJson['attachment'] = [] |         actorJson['attachment'] = [] | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue