From dc6647f5dc24aee4863dba789e001e0b8d899aef Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Wed, 6 Dec 2023 11:46:56 +0100 Subject: [PATCH] fix: sanitize descriptions from resources Currently resources descriptions are not used anywhere but they are prefilled from source URL preview. Still, doesn't hurt to sanitize these. Signed-off-by: Thomas Citharel --- .../activity_pub/types/resources.ex | 39 +++++++++++-------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/lib/federation/activity_pub/types/resources.ex b/lib/federation/activity_pub/types/resources.ex index f38d2c8a..59974421 100644 --- a/lib/federation/activity_pub/types/resources.ex +++ b/lib/federation/activity_pub/types/resources.ex @@ -8,6 +8,7 @@ defmodule Mobilizon.Federation.ActivityPub.Types.Resources do alias Mobilizon.Federation.ActivityStream.Convertible alias Mobilizon.Resources.Resource alias Mobilizon.Service.Activity.Resource, as: ResourceActivity + alias Mobilizon.Service.Formatter.HTML alias Mobilizon.Service.RichMedia.Parser require Logger @@ -20,21 +21,8 @@ defmodule Mobilizon.Federation.ActivityPub.Types.Resources do @spec create(map(), map()) :: {:ok, Resource.t(), ActivityStream.t()} | {:error, Ecto.Changeset.t() | :creator_not_found | :group_not_found} - def create(%{type: type} = args, additional) do - args = - case type do - :folder -> - args - - _ -> - case Parser.parse(Map.get(args, :resource_url)) do - {:ok, metadata} -> - Map.put(args, :metadata, metadata) - - _ -> - args - end - end + def create(args, additional) do + args = prepare_args(args) with {:ok, %Resource{actor_id: group_id, creator_id: creator_id, parent_id: parent_id} = resource} <- @@ -76,7 +64,7 @@ defmodule Mobilizon.Federation.ActivityPub.Types.Resources do additional ) when old_parent_id != parent_id do - move(old_resource, args, additional) + move(old_resource, prepare_args(args), additional) end # Simple rename @@ -218,4 +206,23 @@ defmodule Mobilizon.Federation.ActivityPub.Types.Resources do defp parents(old_parent_id, new_parent_id) do {:ok, Resources.get_resource(old_parent_id), Resources.get_resource(new_parent_id)} end + + defp prepare_args(%{type: type} = args) do + args = + case type do + :folder -> + args + + _ -> + case Parser.parse(Map.get(args, :resource_url)) do + {:ok, metadata} -> + Map.put(args, :metadata, metadata) + + _ -> + args + end + end + + Map.update(args, :description, nil, &HTML.strip_tags/1) + end end