fix: profile settings html sanitization

crates/app/src/public/html/communities/settings.html

@@ -781,7 +781,7 @@
 </script>
 
 <!-- prettier-ignore -->
-<script type="application/json" id="settings_json">{{ community_context_serde|safe }}</script>
+<script type="application/json" id="settings_json">{{ community.context|json_encode()|safe }}</script>
 
 <script>
     setTimeout(() => {

crates/app/src/public/html/profile/settings.html

@@ -860,7 +860,7 @@
     </div>
 
     <!-- prettier-ignore -->
-    <script type="application/json" id="settings_json">{{ user_settings_serde|safe }}</script>
+    <script type="application/json" id="settings_json">{{ user.settings|json_encode()|safe }}</script>
 
     <script>
         setTimeout(() => {

crates/app/src/routes/api/v1/auth/mod.rs

@@ -133,7 +133,7 @@ pub async fn login_request(
     }
 
     // verify password
-    let user = match data.get_user_by_username(&props.username).await {
+    let user = match data.get_user_by_username_no_cache(&props.username).await {
         Ok(ua) => ua,
         Err(_) => return (None, Json(Error::IncorrectPassword.into())),
     };

crates/app/src/routes/pages/communities.rs

@@ -1,5 +1,5 @@
 use super::{render_error, PaginatedQuery, RepostsQuery, SearchedQuery};
-use crate::{assets::initial_context, get_lang, get_user_from_token, sanitize::clean_context, State};
+use crate::{assets::initial_context, get_lang, get_user_from_token, State};
 use axum::{
     Extension,
     extract::{Path, Query},
@@ -557,10 +557,6 @@ pub async fn settings_request(
     let mut context = initial_context(&data.0.0, lang, &Some(user)).await;
 
     context.insert("community", &community);
-    context.insert(
-        "community_context_serde",
-        &clean_context(&community.context),
-    );
 
     context.insert("can_manage_channels", &can_manage_channels);
     context.insert("channels", &channels);

crates/app/src/routes/pages/profile.rs

@@ -1,7 +1,6 @@
 use super::{render_error, PaginatedQuery, ProfileQuery};
 use crate::{
-    assets::initial_context, check_user_blocked_or_private, get_lang, get_user_from_token,
-    sanitize::clean_settings, State,
+    assets::initial_context, check_user_blocked_or_private, get_lang, get_user_from_token, State,
 };
 use axum::{
     Extension,
@@ -84,7 +83,6 @@ pub async fn settings_request(
     context.insert("uploads", &uploads);
     context.insert("stacks", &stacks);
     context.insert("blocks", &blocks);
-    context.insert("user_settings_serde", &clean_settings(&profile.settings));
     context.insert(
         "user_tokens_serde",
         &serde_json::to_string(&tokens)

crates/app/src/sanitize.rs

@@ -1,5 +1,4 @@
 use ammonia::Builder;
-use tetratto_core::model::{auth::UserSettings, communities::CommunityContext};
 
 /// Escape profile colors
 pub fn color_escape(color: &str) -> String {
@@ -27,56 +26,3 @@ pub fn remove_tags(input: &str) -> String {
         .replace("&", "&")
         .replace("</script>", "</not-script")
 }
-
-fn clean_single(input: &str) -> String {
-    input
-        .replace("<", "&lt;")
-        .replace(">", "&gt;")
-        .replace("url(\"", "url(\"/api/v0/util/ext/image?img=")
-        .replace("url(https://", "url(/api/v0/util/ext/image?img=https://")
-        .replace("<style>", "")
-        .replace("</style>", "")
-}
-
-/// Clean user settings
-pub fn clean_settings(settings: &UserSettings) -> String {
-    remove_tags(&serde_json::to_string(&clean_settings_raw(settings)).unwrap())
-        .replace("\u{200d}", "")
-        // how do you end up with these in your settings?
-        .replace("\u{0010}", "")
-        .replace("\u{0011}", "")
-        .replace("\u{0012}", "")
-        .replace("\u{0013}", "")
-        .replace("\u{0014}", "")
-}
-
-/// Clean user settings row
-pub fn clean_settings_raw(settings: &UserSettings) -> UserSettings {
-    let mut settings = settings.to_owned();
-
-    settings.biography = clean_single(&settings.biography);
-    settings.theme_hue = clean_single(&settings.theme_hue);
-    settings.theme_sat = clean_single(&settings.theme_sat);
-    settings.theme_lit = clean_single(&settings.theme_lit);
-
-    settings
-}
-
-/// Clean community context
-pub fn clean_context(context: &CommunityContext) -> String {
-    remove_tags(&serde_json::to_string(&clean_context_raw(context)).unwrap())
-        .replace("\u{200d}", "")
-        // how do you end up with these in your settings?
-        .replace("\u{0010}", "")
-        .replace("\u{0011}", "")
-        .replace("\u{0012}", "")
-        .replace("\u{0013}", "")
-        .replace("\u{0014}", "")
-}
-
-/// Clean community context row
-pub fn clean_context_raw(context: &CommunityContext) -> CommunityContext {
-    let mut context = context.to_owned();
-    context.description = clean_single(&context.description);
-    context
-}

crates/core/src/database/auth.rs

@@ -51,6 +51,7 @@ impl DataManager {
 
     auto_method!(get_user_by_id(usize as i64)@get_user_from_row -> "SELECT * FROM users WHERE id = $1" --name="user" --returns=User --cache-key-tmpl="atto.user:{}");
     auto_method!(get_user_by_username(&str)@get_user_from_row -> "SELECT * FROM users WHERE username = $1" --name="user" --returns=User --cache-key-tmpl="atto.user:{}");
+    auto_method!(get_user_by_username_no_cache(&str)@get_user_from_row -> "SELECT * FROM users WHERE username = $1" --name="user" --returns=User);
 
     /// Get a user given just their ID. Returns the void user if the user doesn't exist.
     ///
@@ -409,7 +410,6 @@ impl DataManager {
         }
 
         self.cache_clear_user(&user).await;
-
         Ok(())
     }