Received: from mail.netlandish.com (mail.netlandish.com [174.136.98.166])
	by code.netlandish.com (Postfix) with ESMTP id 7553D27B
	for <~netlandish/links-dev@lists.code.netlandish.com>; Sat, 15 Feb 2025 14:34:59 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.128.175; helo=mail-yw1-f175.google.com; envelope-from=peter@netlandish.com; receiver=<UNKNOWN> 
Authentication-Results: mail.netlandish.com;
	dkim=pass (1024-bit key; unprotected) header.d=netlandish.com header.i=@netlandish.com header.b=mTlGEUYw
Received: from mail-yw1-f175.google.com (mail-yw1-f175.google.com [209.85.128.175])
	by mail.netlandish.com (Postfix) with ESMTP id F0BE81D67F4
	for <~netlandish/links-dev@lists.code.netlandish.com>; Sat, 15 Feb 2025 14:42:38 +0000 (UTC)
Received: by mail-yw1-f175.google.com with SMTP id 00721157ae682-6f9e78593b8so24489917b3.1
        for <~netlandish/links-dev@lists.code.netlandish.com>; Sat, 15 Feb 2025 06:42:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=netlandish.com; s=google; t=1739630558; x=1740235358; darn=lists.code.netlandish.com;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=eRXIauMUCCOzxyos+k67OuRXUKuMz2esgopNHZwYWIU=;
        b=mTlGEUYwjMkvbH9lpbYvVhuVfnF+8FVZjVWI3IchtaVlk2HcXD8FVvV5oizRg7v8l8
         nPjnIwoCnDKlLJF0uW9ds23OtPYPiyGW2Z7mc2NHTGx7NfoiLfe91c37ZX2rzu4m/YRO
         xscSFXgmGy89EqGoyAcIwVZ501+x6MbHymldY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739630558; x=1740235358;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=eRXIauMUCCOzxyos+k67OuRXUKuMz2esgopNHZwYWIU=;
        b=YIwU+WJjTlTD0Y/+zSw4fBK6wGBXcTUBkt58qEwDmANKOATf+X30ciiGkamRWVvcC8
         5ZJDSgYUr2JH/EDFBCj4pQQxt/i8DsEPP7mcjVZSogEXrmVC3EE3h2rMbLNAhqViHJ/S
         89wSjo74+Qb1d9l95eiT0MZEcNuUjE3omaA3ouvEI8JePG+C8vugnF1DBTWNqi2pCxdx
         semKBww69p3vXUAQUo/g4t67wI3o0ei/6dwLTkYv1ugWgeGF9/T8JKUqpm7Cuiusm+4x
         PmM2VkZdHqHz+4y2KoKHtdSYLkXZswgoIoRY+h0mHEDfsBIMuYVb+d7F4GEb0nRLcODX
         LqcQ==
X-Gm-Message-State: AOJu0YyGK+k8k9dum8ISoeq0qGA6EGzZDjFvnVUHewx+YCvKYHTjoYC9
	7v/cCE4vAkgUnt4EAzlPPPeiyBToYZU6vB/AiFlcEyDV3u+390IihcUSPQtmQhFCHFpp2YqMyJT
	UfXw=
X-Gm-Gg: ASbGncsEk0Pb7AwsYH98xIp+LpkrHDeysaLn5zuz5X6EyTVxQaF9M7EbdVVPSuCIfdK
	SsF1EhEGGUq2anxHZHKMiyVK+k5QWG/9xC+o5hGrngX5dY77sfwZyjd3TzXFbohbWXug+3jkjXD
	4tgRd9aBlnIiZb9HjeQ/bqrmsxt1EuiTqpuFDP8Mybi5NxZtI7RiaAurdothM00VeohpTutFvxP
	eRHFjXVkVJ1oAaJpYTwBkXrKACepbV+0snE/aMaSsQsICzOg5w/1f1Y4rvgedx5QFORfDCQRZPl
	GdcpC1VYtGHwFaxo
X-Google-Smtp-Source: AGHT+IH3vsowD6oOqkxZmDhR1WK8CA+FS4GNPFgS/p8kicSVJpzjeAf7Lq9phOdpX20kQKpg6AMbqg==
X-Received: by 2002:a05:690c:700c:b0:6f9:d615:9707 with SMTP id 00721157ae682-6fb33d32884mr118196887b3.17.1739630557980;
        Sat, 15 Feb 2025 06:42:37 -0800 (PST)
Received: from localhost ([2803:2d60:1107:87f:cb49:590b:e4e2:f6d4])
        by smtp.gmail.com with ESMTPSA id 00721157ae682-6fb35d58baesm12436207b3.20.2025.02.15.06.42.36
        for <~netlandish/links-dev@lists.code.netlandish.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 15 Feb 2025 06:42:37 -0800 (PST)
From: Peter Sanchez <peter@netlandish.com>
To: ~netlandish/links-dev@lists.code.netlandish.com
Subject: [PATCH links] Strip html tags instead of escaping all input. Fix escaping when displaying sanitized data on feed / list pages.
Date: Sat, 15 Feb 2025 08:41:47 -0600
Message-ID: <20250215144234.8038-1-peter@netlandish.com>
X-Mailer: git-send-email 2.47.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Implements: https://todo.code.netlandish.com/~netlandish/links/93
---
You can use the following program to correct any existing entries in
case anyone actually has this running anywhere.

https://paste.sr.ht/~petersanchez/95f653a54e7ad896472e26950bd88446cda974e1

 core/routes.go           |  2 --
 helpers.go               | 12 ++++++------
 templates/feed.html      |  4 ++--
 templates/link_list.html |  6 +++---
 4 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/core/routes.go b/core/routes.go
index 041bc41..8338503 100644
--- a/core/routes.go
+++ b/core/routes.go
@@ -1584,7 +1584,6 @@ func (s *Service) PopularLinkList(c echo.Context) error {
 						meta {
 							image
 							description
-							image
 							siteName
 						}
 					}
@@ -1919,7 +1918,6 @@ func (s *Service) OrgLinksList(c echo.Context) error {
 							meta {
 								image
 								description
-								image
 								siteName
 							}
 						}
diff --git a/helpers.go b/helpers.go
index 6849b95..36a6eb7 100644
--- a/helpers.go
+++ b/helpers.go
@@ -322,33 +322,33 @@ func extract(resp io.Reader) *models.HTMLMeta {
 			if t.Data == "meta" {
 				desc, ok := extractMetaProperty(t, "description")
 				if ok {
-					hm.Description = html.EscapeString(desc)
+					hm.Description = core.StripHtmlTags(desc)
 				}
 
 				ogTitle, ok := extractMetaProperty(t, "og:title")
 				if ok {
-					hm.Title = html.EscapeString(ogTitle)
+					hm.Title = core.StripHtmlTags(ogTitle)
 				}
 
 				ogDesc, ok := extractMetaProperty(t, "og:description")
 				if ok {
-					hm.Description = html.EscapeString(ogDesc)
+					hm.Description = core.StripHtmlTags(ogDesc)
 				}
 
 				ogImage, ok := extractMetaProperty(t, "og:image")
 				if ok {
-					hm.Image = html.EscapeString(ogImage)
+					hm.Image = core.StripHtmlTags(ogImage)
 				}
 
 				ogSiteName, ok := extractMetaProperty(t, "og:site_name")
 				if ok {
-					hm.SiteName = html.EscapeString(ogSiteName)
+					hm.SiteName = core.StripHtmlTags(ogSiteName)
 				}
 			}
 		case html.TextToken:
 			if titleFound {
 				t := z.Token()
-				hm.Title = html.EscapeString(t.Data)
+				hm.Title = core.StripHtmlTags(t.Data)
 				titleFound = false
 			}
 		}
diff --git a/templates/feed.html b/templates/feed.html
index 64657d9..43cfbe2 100644
--- a/templates/feed.html
+++ b/templates/feed.html
@@ -54,9 +54,9 @@
           </h3>
         </div>
         {{if .Description}}
-            <p class="is-marginless">{{truncate .Description 200}}</p>
+            <p class="is-marginless">{{htmlSafe (truncate .Description 200)}}</p>
         {{else if .BaseURLData.Meta.Description}}
-            <p class="is-marginless">{{truncate .BaseURLData.Meta.Description 200}}</p>
+            <p class="is-marginless">{{htmlSafe (truncate .BaseURLData.Meta.Description 200)}}</p>
         {{end}}
         <div class="link-tag mt-1">
             {{range .Tags}}
diff --git a/templates/link_list.html b/templates/link_list.html
index 8f731b5..6048241 100644
--- a/templates/link_list.html
+++ b/templates/link_list.html
@@ -160,12 +160,12 @@
           {{end}}
         </div>
         {{if $.isPopular}}
-            <p class="is-marginless">{{truncate .Data.Meta.Description 200}}</p>
+            <p class="is-marginless">{{htmlSafe (truncate .Data.Meta.Description 200)}}</p>
         {{else}}
             {{if .Description}}
-                <p class="is-marginless">{{truncate .Description 200}}</p>
+                <p class="is-marginless">{{htmlSafe (truncate .Description 200)}}</p>
             {{else if .BaseURLData.Meta.Description}}
-                <p class="is-marginless">{{truncate .BaseURLData.Meta.Description 200}}</p>
+                <p class="is-marginless">{{htmlSafe (truncate .BaseURLData.Meta.Description 200)}}</p>
             {{end}}
         {{end}}
         {{if .Tags}}
-- 
2.47.2