t/tetratto
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: profile settings html sanitization

Browse source
This commit is contained in:
trisua 2025-05-13 18:50:36 -04:00
parent d1e8e2b27c
commit 37d034db39
7 changed files with 6 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

2
crates/app/src/public/html/communities/settings.html
View file

@ -781,7 +781,7 @@
</script> </script>
<!-- prettier-ignore --> <!-- prettier-ignore -->
<script type="application/json" id="settings_json">{{ community_context_serde|safe }}</script> <script type="application/json" id="settings_json">{{ community.context|json_encode()|safe }}</script>
<script> <script>
setTimeout(() => { setTimeout(() => {

2
crates/app/src/public/html/profile/settings.html
View file

@ -860,7 +860,7 @@
</div> </div>
<!-- prettier-ignore --> <!-- prettier-ignore -->
<script type="application/json" id="settings_json">{{ user_settings_serde|safe }}</script> <script type="application/json" id="settings_json">{{ user.settings|json_encode()|safe }}</script>
<script> <script>
setTimeout(() => { setTimeout(() => {

2
crates/app/src/routes/api/v1/auth/mod.rs
View file

@ -133,7 +133,7 @@ pub async fn login_request(
} }
// verify password // verify password
let user = match data.get_user_by_username(&props.username).await { let user = match data.get_user_by_username_no_cache(&props.username).await {
Ok(ua) => ua, Ok(ua) => ua,
Err(_) => return (None, Json(Error::IncorrectPassword.into())), Err(_) => return (None, Json(Error::IncorrectPassword.into())),
}; };

6
crates/app/src/routes/pages/communities.rs
View file

@ -1,5 +1,5 @@
use super::{render_error, PaginatedQuery, RepostsQuery, SearchedQuery}; use super::{render_error, PaginatedQuery, RepostsQuery, SearchedQuery};
use crate::{assets::initial_context, get_lang, get_user_from_token, sanitize::clean_context, State}; use crate::{assets::initial_context, get_lang, get_user_from_token, State};
use axum::{ use axum::{
Extension, Extension,
extract::{Path, Query}, extract::{Path, Query},
@ -557,10 +557,6 @@ pub async fn settings_request(
let mut context = initial_context(&data.0.0, lang, &Some(user)).await; let mut context = initial_context(&data.0.0, lang, &Some(user)).await;
context.insert("community", &community); context.insert("community", &community);
context.insert(
"community_context_serde",
&clean_context(&community.context),
);
context.insert("can_manage_channels", &can_manage_channels); context.insert("can_manage_channels", &can_manage_channels);
context.insert("channels", &channels); context.insert("channels", &channels);

4
crates/app/src/routes/pages/profile.rs
View file

@ -1,7 +1,6 @@
use super::{render_error, PaginatedQuery, ProfileQuery}; use super::{render_error, PaginatedQuery, ProfileQuery};
use crate::{ use crate::{
assets::initial_context, check_user_blocked_or_private, get_lang, get_user_from_token, assets::initial_context, check_user_blocked_or_private, get_lang, get_user_from_token, State,
sanitize::clean_settings, State,
}; };
use axum::{ use axum::{
Extension, Extension,
@ -84,7 +83,6 @@ pub async fn settings_request(
context.insert("uploads", &uploads); context.insert("uploads", &uploads);
context.insert("stacks", &stacks); context.insert("stacks", &stacks);
context.insert("blocks", &blocks); context.insert("blocks", &blocks);
context.insert("user_settings_serde", &clean_settings(&profile.settings));
context.insert( context.insert(
"user_tokens_serde", "user_tokens_serde",
&serde_json::to_string(&tokens) &serde_json::to_string(&tokens)

54
crates/app/src/sanitize.rs
View file

@ -1,5 +1,4 @@
use ammonia::Builder; use ammonia::Builder;
use tetratto_core::model::{auth::UserSettings, communities::CommunityContext};
/// Escape profile colors /// Escape profile colors
pub fn color_escape(color: &str) -> String { pub fn color_escape(color: &str) -> String {
@ -27,56 +26,3 @@ pub fn remove_tags(input: &str) -> String {
.replace("&amp;", "&") .replace("&amp;", "&")
.replace("</script>", "</not-script") .replace("</script>", "</not-script")
} }
fn clean_single(input: &str) -> String {
input
.replace("<", "&lt;")
.replace(">", "&gt;")
.replace("url(\"", "url(\"/api/v0/util/ext/image?img=")
.replace("url(https://", "url(/api/v0/util/ext/image?img=https://")
.replace("<style>", "")
.replace("</style>", "")
}
/// Clean user settings
pub fn clean_settings(settings: &UserSettings) -> String {
remove_tags(&serde_json::to_string(&clean_settings_raw(settings)).unwrap())
.replace("\u{200d}", "")
// how do you end up with these in your settings?
.replace("\u{0010}", "")
.replace("\u{0011}", "")
.replace("\u{0012}", "")
.replace("\u{0013}", "")
.replace("\u{0014}", "")
}
/// Clean user settings row
pub fn clean_settings_raw(settings: &UserSettings) -> UserSettings {
let mut settings = settings.to_owned();
settings.biography = clean_single(&settings.biography);
settings.theme_hue = clean_single(&settings.theme_hue);
settings.theme_sat = clean_single(&settings.theme_sat);
settings.theme_lit = clean_single(&settings.theme_lit);
settings
}
/// Clean community context
pub fn clean_context(context: &CommunityContext) -> String {
remove_tags(&serde_json::to_string(&clean_context_raw(context)).unwrap())
.replace("\u{200d}", "")
// how do you end up with these in your settings?
.replace("\u{0010}", "")
.replace("\u{0011}", "")
.replace("\u{0012}", "")
.replace("\u{0013}", "")
.replace("\u{0014}", "")
}
/// Clean community context row
pub fn clean_context_raw(context: &CommunityContext) -> CommunityContext {
let mut context = context.to_owned();
context.description = clean_single(&context.description);
context
}

2
crates/core/src/database/auth.rs
View file

@ -51,6 +51,7 @@ impl DataManager {
auto_method!(get_user_by_id(usize as i64)@get_user_from_row -> "SELECT * FROM users WHERE id = $1" --name="user" --returns=User --cache-key-tmpl="atto.user:{}"); auto_method!(get_user_by_id(usize as i64)@get_user_from_row -> "SELECT * FROM users WHERE id = $1" --name="user" --returns=User --cache-key-tmpl="atto.user:{}");
auto_method!(get_user_by_username(&str)@get_user_from_row -> "SELECT * FROM users WHERE username = $1" --name="user" --returns=User --cache-key-tmpl="atto.user:{}"); auto_method!(get_user_by_username(&str)@get_user_from_row -> "SELECT * FROM users WHERE username = $1" --name="user" --returns=User --cache-key-tmpl="atto.user:{}");
auto_method!(get_user_by_username_no_cache(&str)@get_user_from_row -> "SELECT * FROM users WHERE username = $1" --name="user" --returns=User);
/// Get a user given just their ID. Returns the void user if the user doesn't exist. /// Get a user given just their ID. Returns the void user if the user doesn't exist.
/// ///
@ -409,7 +410,6 @@ impl DataManager {
} }
self.cache_clear_user(&user).await; self.cache_clear_user(&user).await;
Ok(()) Ok(())
} }