~vpzom/lotide

73ecba6575f204c463527cee4a71f0bb9ecd5163 — Colin Reeder 10 days ago a180781
Sanitize outgoing HTML (#110)
M Cargo.lock => Cargo.lock +177 -0
@@ 44,6 44,21 @@ dependencies = [
]

[[package]]
name = "ammonia"
version = "3.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "89eac85170f4b3fb3dc5e442c1cfb036cb8eecf9dbbd431a161ffad15d90ea3b"
dependencies = [
 "html5ever",
 "lazy_static",
 "maplit",
 "markup5ever_rcdom",
 "matches",
 "tendril",
 "url",
]

[[package]]
name = "arc-swap"
version = "0.4.7"
source = "registry+https://github.com/rust-lang/crates.io-index"


@@ 481,6 496,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3dcaa9ae7725d12cdb85b3ad99a434db70b468c09ded17e012d86b5c1010f7a7"

[[package]]
name = "futf"
version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7c9c1ce3fa9336301af935ab852c437817d14cd33690446569392e65170aac3b"
dependencies = [
 "mac",
 "new_debug_unreachable",
]

[[package]]
name = "futures"
version = "0.3.5"
source = "registry+https://github.com/rust-lang/crates.io-index"


@@ 743,6 768,20 @@ dependencies = [
]

[[package]]
name = "html5ever"
version = "0.25.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aafcf38a1a36118242d29b92e1b08ef84e67e4a5ed06e0a80be20e6a32bfed6b"
dependencies = [
 "log",
 "mac",
 "markup5ever",
 "proc-macro2",
 "quote",
 "syn",
]

[[package]]
name = "http"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"


@@ 1004,6 1043,7 @@ version = "0.7.0-pre"
dependencies = [
 "activitystreams",
 "activitystreams-ext",
 "ammonia",
 "async-trait",
 "bcrypt",
 "bs58",


@@ 1047,6 1087,47 @@ dependencies = [
]

[[package]]
name = "mac"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c41e0c4fef86961ac6d6f8a82609f55f31b05e4fce149ac5710e439df7619ba4"

[[package]]
name = "maplit"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3e2e65a1a2e43cfcb47a895c4c8b10d1f4a61097f9f254f183aee60cad9c651d"

[[package]]
name = "markup5ever"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aae38d669396ca9b707bfc3db254bc382ddb94f57cc5c235f34623a669a01dab"
dependencies = [
 "log",
 "phf",
 "phf_codegen",
 "serde",
 "serde_derive",
 "serde_json",
 "string_cache",
 "string_cache_codegen",
 "tendril",
]

[[package]]
name = "markup5ever_rcdom"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f015da43bcd8d4f144559a3423f4591d69b8ce0652c905374da7205df336ae2b"
dependencies = [
 "html5ever",
 "markup5ever",
 "tendril",
 "xml5ever",
]

[[package]]
name = "match_cfg"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"


@@ 1186,6 1267,12 @@ dependencies = [
]

[[package]]
name = "new_debug_unreachable"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e4a24736216ec316047a1fc4252e27dabb04218aa4a3f37c6e7ddbf1f9782b54"

[[package]]
name = "nom"
version = "5.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"


@@ 1318,6 1405,26 @@ dependencies = [
]

[[package]]
name = "phf_codegen"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cbffee61585b0411840d3ece935cce9cb6321f01c45477d30066498cd5e1a815"
dependencies = [
 "phf_generator",
 "phf_shared",
]

[[package]]
name = "phf_generator"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "17367f0cc86f2d25802b2c26ee58a7b23faeccf78a396094c13dced0d0182526"
dependencies = [
 "phf_shared",
 "rand",
]

[[package]]
name = "phf_shared"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"


@@ 1404,6 1511,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "237a5ed80e274dbc66f86bd59c1e25edc039660be53194b5fe0a482e0f2612ea"

[[package]]
name = "precomputed-hash"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c"

[[package]]
name = "proc-macro-hack"
version = "0.5.16"
source = "registry+https://github.com/rust-lang/crates.io-index"


@@ 1473,6 1586,7 @@ dependencies = [
 "rand_chacha",
 "rand_core",
 "rand_hc",
 "rand_pcg",
]

[[package]]


@@ 1504,6 1618,15 @@ dependencies = [
]

[[package]]
name = "rand_pcg"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "16abd0c1b639e9eb4d7c50c0b8100b0d0f849be2349829c740fe8e6eb4816429"
dependencies = [
 "rand_core",
]

[[package]]
name = "redox_syscall"
version = "0.1.56"
source = "registry+https://github.com/rust-lang/crates.io-index"


@@ 1798,6 1921,31 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"

[[package]]
name = "string_cache"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2940c75beb4e3bf3a494cef919a747a2cb81e52571e212bfbd185074add7208a"
dependencies = [
 "lazy_static",
 "new_debug_unreachable",
 "phf_shared",
 "precomputed-hash",
 "serde",
]

[[package]]
name = "string_cache_codegen"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f24c8e5e19d22a726626f1a5e16fe15b132dcf21d10177fa5a45ce7962996b97"
dependencies = [
 "phf_generator",
 "phf_shared",
 "proc-macro2",
 "quote",
]

[[package]]
name = "stringprep"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"


@@ 1839,6 1987,17 @@ dependencies = [
]

[[package]]
name = "tendril"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "707feda9f2582d5d680d733e38755547a3e8fb471e7ba11452ecfd9ce93a5d3b"
dependencies = [
 "futf",
 "mac",
 "utf-8",
]

[[package]]
name = "thiserror"
version = "1.0.20"
source = "registry+https://github.com/rust-lang/crates.io-index"


@@ 2118,6 2277,12 @@ dependencies = [
]

[[package]]
name = "utf-8"
version = "0.7.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "05e42f7c18b8f902290b009cde6d651262f956c98bc51bca4cd1d511c9cd85c7"

[[package]]
name = "uuid"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"


@@ 2284,3 2449,15 @@ dependencies = [
 "winapi 0.2.8",
 "winapi-build",
]

[[package]]
name = "xml5ever"
version = "0.16.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0b1b52e6e8614d4a58b8e70cf51ec0cc21b256ad8206708bcff8139b5bbd6a59"
dependencies = [
 "log",
 "mac",
 "markup5ever",
 "time",
]

M Cargo.toml => Cargo.toml +1 -0
@@ 48,6 48,7 @@ bs58 = "0.3.1"
bumpalo = "3.4.0"
tokio-util = "0.3.1"
henry = "0.1.0"
ammonia = "3.1.0"

[dev-dependencies]
rand = "0.7.3"

M src/apub_util.rs => src/apub_util.rs +4 -2
@@ 1006,7 1006,9 @@ pub fn post_to_ap(
        post: &crate::PostInfo,
    ) -> Result<(), crate::Error> {
        if let Some(html) = post.content_html {
            props.set_content(html).set_media_type(mime::TEXT_HTML);
            props
                .set_content(ammonia::clean(&html))
                .set_media_type(mime::TEXT_HTML);

            if let Some(md) = post.content_markdown {
                let mut src = activitystreams::object::Object::<()>::new();


@@ 1137,7 1139,7 @@ pub fn local_comment_to_ap(
    let mut obj = activitystreams::object::ApObject::new(obj);

    if let Some(html) = &comment.content_html {
        obj.set_content(html.as_ref().to_owned())
        obj.set_content(ammonia::clean(&html))
            .set_media_type(mime::TEXT_HTML);

        if let Some(md) = &comment.content_markdown {

M src/routes/api/communities.rs => src/routes/api/communities.rs +1 -1
@@ 642,7 642,7 @@ async fn route_unstable_communities_posts_list(
                title,
                href: ctx.process_href_opt(href, id),
                content_text,
                content_html,
                content_html_safe: content_html.map(|html| ammonia::clean(&html)),
                author: author.as_ref(),
                created: &created.to_rfc3339(),
                community: &community,

M src/routes/api/mod.rs => src/routes/api/mod.rs +3 -2
@@ 98,7 98,8 @@ struct RespPostListPost<'a> {
    title: &'a str,
    href: Option<Cow<'a, str>>,
    content_text: Option<&'a str>,
    content_html: Option<&'a str>,
    #[serde(rename = "content_html")]
    content_html_safe: Option<String>,
    author: Option<&'a RespMinimalAuthorInfo<'a>>,
    created: &'a str,
    community: &'a RespMinimalCommunityInfo<'a>,


@@ 787,7 788,7 @@ async fn handle_common_posts_list(
                title,
                href: ctx.process_href_opt(href, id),
                content_text,
                content_html,
                content_html_safe: content_html.map(|html| ammonia::clean(&html)),
                author: author.as_ref(),
                created: &created.to_rfc3339(),
                community: &community,

M src/routes/api/posts.rs => src/routes/api/posts.rs +2 -2
@@ 305,7 305,7 @@ async fn route_unstable_posts_get(
        Some(row) => {
            let href = row.get(1);
            let content_text = row.get(2);
            let content_html = row.get(5);
            let content_html: Option<&str> = row.get(5);
            let title = row.get(3);
            let created: chrono::DateTime<chrono::FixedOffset> = row.get(4);
            let community_id = CommunityLocalID(row.get(6));


@@ 351,7 351,7 @@ async fn route_unstable_posts_get(
                title,
                href: ctx.process_href_opt(href, post_id),
                content_text,
                content_html,
                content_html_safe: content_html.map(|html| ammonia::clean(&html)),
                author: author.as_ref(),
                created: &created.to_rfc3339(),
                community: &community,