Avoid arbitrary html being added to profile fields

donate.py

@@ -48,6 +48,8 @@ def setDonationUrl(actorJson: {}, donateUrl: str) -> None:
         notUrl = True
     if ' ' in donateUrl:
         notUrl = True
+    if '<' in donateUrl:
+        notUrl = True
 
     if not actorJson.get('attachment'):
         actorJson['attachment'] = []

jami.py

@@ -53,6 +53,8 @@ def setJamiAddress(actorJson: {}, jamiAddress: str) -> None:
         notJamiAddress = True
     if ',' in jamiAddress:
         notJamiAddress = True
+    if '<' in jamiAddress:
+        notJamiAddress = True
 
     if not actorJson.get('attachment'):
         actorJson['attachment'] = []

matrix.py

@@ -63,6 +63,8 @@ def setMatrixAddress(actorJson: {}, matrixAddress: str) -> None:
         return
     if '"' in matrixAddress:
         return
+    if '<' in matrixAddress:
+        return
     if ':' not in matrixAddress:
         return
 

pgp.py

@@ -83,6 +83,8 @@ def setEmailAddress(actorJson: {}, emailAddress: str) -> None:
         notEmailAddress = True
     if '.' not in emailAddress:
         notEmailAddress = True
+    if '<' in emailAddress:
+        notEmailAddress = True
     if emailAddress.startswith('@'):
         notEmailAddress = True
 
@@ -134,6 +136,8 @@ def setPGPpubKey(actorJson: {}, PGPpubKey: str) -> None:
     else:
         if '--BEGIN PGP PUBLIC KEY' not in PGPpubKey:
             removeKey = True
+        if '<' in PGPpubKey:
+            removeKey = True
 
     if not actorJson.get('attachment'):
         actorJson['attachment'] = []

ssb.py

@@ -52,6 +52,8 @@ def setSSBAddress(actorJson: {}, ssbAddress: str) -> None:
         notSSBAddress = True
     if ',' in ssbAddress:
         notSSBAddress = True
+    if '<' in ssbAddress:
+        notSSBAddress = True
 
     if not actorJson.get('attachment'):
         actorJson['attachment'] = []

tox.py

@@ -57,6 +57,8 @@ def setToxAddress(actorJson: {}, toxAddress: str) -> None:
         notToxAddress = True
     if ',' in toxAddress:
         notToxAddress = True
+    if '<' in toxAddress:
+        notToxAddress = True
 
     if not actorJson.get('attachment'):
         actorJson['attachment'] = []

webapp_utils.py

@@ -9,6 +9,7 @@ __status__ = "Production"
 import os
 from collections import OrderedDict
 from session import getJson
+from utils import removeHtml
 from utils import getImageExtensions
 from utils import getProtocolPrefixes
 from utils import loadJson
@@ -268,7 +269,7 @@ def setActorPropertyUrl(actorJson: {}, propertyName: str, url: str) -> None:
 def setBlogAddress(actorJson: {}, blogAddress: str) -> None:
     """Sets an blog address for the given actor
     """
-    setActorPropertyUrl(actorJson, 'Blog', blogAddress)
+    setActorPropertyUrl(actorJson, 'Blog', removeHtml(blogAddress))
 
 
 def updateAvatarImageCache(session, baseDir: str, httpPrefix: str,

xmpp.py

@@ -43,6 +43,8 @@ def setXmppAddress(actorJson: {}, xmppAddress: str) -> None:
         notXmppAddress = True
     if '"' in xmppAddress:
         notXmppAddress = True
+    if '<' in xmppAddress:
+        notXmppAddress = True
 
     if not actorJson.get('attachment'):
         actorJson['attachment'] = []