Peter Sanchez: 1 backend: adding bluemonday for proper HTML sanitizing. 4 files changed, 19 insertions(+), 10 deletions(-)
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.code.netlandish.com/~netlandish/links-dev/patches/218/mbox | git am -3Learn more about email & git
Changelog-fixed: Issue when sanitizing user input that has valid characters that would be stripped as html tags. --- api/graph/schema.resolvers.go | 8 ++++---- go.mod | 3 +++ go.sum | 5 +++++ helpers.go | 13 +++++++------ 4 files changed, 19 insertions(+), 10 deletions(-) diff --git a/api/graph/schema.resolvers.go b/api/graph/schema.resolvers.go index bf295fd..120051b 100644 --- a/api/graph/schema.resolvers.go +++ b/api/graph/schema.resolvers.go @@ -42,7 +42,7 @@ import ( auditlog "netlandish.com/x/gobwebs-auditlog" oauth2 "netlandish.com/x/gobwebs-oauth2" gaccounts "netlandish.com/x/gobwebs/accounts" - gcore "netlandish.com/x/gobwebs/core" + "github.com/microcosm-cc/bluemonday" "netlandish.com/x/gobwebs/crypto" "netlandish.com/x/gobwebs/database" "netlandish.com/x/gobwebs/email" @@ -569,7 +569,7 @@ func (r *mutationResolver) AddLink(ctx context.Context, input *model.LinkInput) Hash: ksuid.New().String(), } if input.Description != nil { - OrgLink.Description = gcore.StripHtmlTags(*input.Description) + OrgLink.Description = bluemonday.StrictPolicy().Sanitize(*input.Description) } err = OrgLink.Store(ctx) @@ -765,7 +765,7 @@ func (r *mutationResolver) UpdateLink(ctx context.Context, input *model.UpdateLi orgLink.Title = *input.Title } if input.Description != nil { - orgLink.Description = gcore.StripHtmlTags(*input.Description) + orgLink.Description = bluemonday.StrictPolicy().Sanitize(*input.Description) } if input.Unread != nil { @@ -1074,7 +1074,7 @@ func (r *mutationResolver) AddNote(ctx context.Context, input *model.NoteInput) OrgLinkNote := &models.OrgLink{ Title: input.Title, OrgID: org.ID, - Description: gcore.StripHtmlTags(input.Description), + Description: bluemonday.StrictPolicy().Sanitize(input.Description), BaseURLID: BaseURL.ID, Visibility: string(input.Visibility), Starred: input.Starred, diff --git a/go.mod b/go.mod index 1bea701..d74e868 100644 --- a/go.mod +++ b/go.mod @@ -17,6 +17,7 @@ require ( github.com/lib/pq v1.10.9 github.com/mattermost/mattermost-plugin-apps v1.1.0 github.com/mattermost/mattermost-server/v6 v6.6.0 + github.com/microcosm-cc/bluemonday v1.0.27 github.com/oschwald/geoip2-golang v1.9.0 github.com/segmentio/ksuid v1.0.4 github.com/shopspring/decimal v1.2.0 @@ -54,6 +55,7 @@ require ( github.com/alecthomas/chroma/v2 v2.14.0 // indirect github.com/alexedwards/argon2id v1.0.0 // indirect github.com/aws/aws-sdk-go v1.54.18 // indirect + github.com/aymerick/douceur v0.2.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect github.com/blang/semver v3.5.1+incompatible // indirect @@ -89,6 +91,7 @@ require ( github.com/google/go-cmp v0.6.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/googleapis/gax-go/v2 v2.1.1 // indirect + github.com/gorilla/css v1.0.1 // indirect github.com/gorilla/mux v1.8.0 // indirect github.com/gorilla/websocket v1.5.0 // indirect github.com/graph-gophers/graphql-go v1.3.0 // indirect diff --git a/go.sum b/go.sum index d2091e0..548627e 100644 --- a/go.sum +++ b/go.sum @@ -232,6 +232,7 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.6.1/go.mod h1:hLZ/AnkIKHLuPGjEiyghNE github.com/aws/aws-sdk-go-v2/service/sts v1.7.2/go.mod h1:8EzeIqfWt2wWT4rJVu3f21TfrhJ8AEMzVybRNSb/b4g= github.com/aws/smithy-go v1.7.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= github.com/aws/smithy-go v1.8.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= +github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk= github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= github.com/aymerick/raymond v2.0.3-0.20180322193309-b565731e1464+incompatible/go.mod h1:osfaiScAUVup+UC9Nfq76eWqDhXlp+4UYaA8uhTBO6g= github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A= @@ -775,6 +776,8 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORR github.com/gopherjs/gopherjs v0.0.0-20211111143520-d0d5ecc1a356/go.mod h1:cz9oNYuRUWGdHmLF2IodMLkAhcPtXeULvcBNagUrxTI= github.com/gopherjs/gopherjs v0.0.0-20220221023154-0b2280d3ff96/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k= github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c= +github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8= +github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0= github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ= github.com/gorilla/handlers v1.4.2/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ= github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= @@ -1136,6 +1139,8 @@ github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssn github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4= github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc= github.com/microcosm-cc/bluemonday v1.0.18/go.mod h1:Z0r70sCuXHig8YpBzCc5eGHAap2K7e/u082ZUpDRRqM= +github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk= +github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI= diff --git a/helpers.go b/helpers.go index 09524fe..eb77b00 100644 --- a/helpers.go +++ b/helpers.go @@ -26,6 +26,7 @@ import ( "unicode/utf8" "git.sr.ht/~emersion/gqlclient" + "github.com/microcosm-cc/bluemonday" "github.com/99designs/gqlgen/graphql" sq "github.com/Masterminds/squirrel" "github.com/labstack/echo/v4" @@ -346,33 +347,33 @@ func extract(resp io.Reader) *models.HTMLMeta { if t.Data == "meta" { desc, ok := extractMetaProperty(t, "description") if ok { - hm.Description = SanitizeUTF8(core.StripHtmlTags(desc)) + hm.Description = SanitizeUTF8(bluemonday.StrictPolicy().Sanitize(desc)) } ogTitle, ok := extractMetaProperty(t, "og:title") if ok { - hm.Title = SanitizeUTF8(core.StripHtmlTags(ogTitle)) + hm.Title = SanitizeUTF8(bluemonday.StrictPolicy().Sanitize(ogTitle)) } ogDesc, ok := extractMetaProperty(t, "og:description") if ok { - hm.Description = SanitizeUTF8(core.StripHtmlTags(ogDesc)) + hm.Description = SanitizeUTF8(bluemonday.StrictPolicy().Sanitize(ogDesc)) } ogImage, ok := extractMetaProperty(t, "og:image") if ok { - hm.Image = SanitizeUTF8(core.StripHtmlTags(ogImage)) + hm.Image = SanitizeUTF8(bluemonday.StrictPolicy().Sanitize(ogImage)) } ogSiteName, ok := extractMetaProperty(t, "og:site_name") if ok { - hm.SiteName = SanitizeUTF8(core.StripHtmlTags(ogSiteName)) + hm.SiteName = SanitizeUTF8(bluemonday.StrictPolicy().Sanitize(ogSiteName)) } } case html.TextToken: if titleFound { t := z.Token() - hm.Title = SanitizeUTF8(core.StripHtmlTags(t.Data)) + hm.Title = SanitizeUTF8(bluemonday.StrictPolicy().Sanitize(t.Data)) titleFound = false } } -- 2.52.0
Applied. To git@git.code.netlandish.com:~netlandish/links 78efdd9..a63d31d master -> master