Use modern Phoenix HTML escaping (#236)

derpibooru · Apr 27, 2024 · 101aec0 · 101aec0
1 parent eb79ee4
commit 101aec0
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 8 deletions.
diff --git a/lib/philomena_web/markdown_renderer.ex b/lib/philomena_web/markdown_renderer.ex
@@ -3,7 +3,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do
   alias Philomena.Images.Image
   alias Philomena.Repo
   alias PhilomenaWeb.ImageView
-  import Phoenix.HTML
   import Phoenix.HTML.Link
   import Ecto.Query
 
@@ -84,7 +83,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do
                   size: ImageView.select_version(img, :medium),
                   conn: conn
                 )
-                |> safe_to_string()
 
               [_id, "t"] when not img.hidden_from_users and img.approved ->
                 Phoenix.View.render(ImageView, "_image_target.html",
@@ -93,7 +91,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do
                   size: ImageView.select_version(img, :small),
                   conn: conn
                 )
-                |> safe_to_string()
 
               [_id, "s"] when not img.hidden_from_users and img.approved ->
                 Phoenix.View.render(ImageView, "_image_target.html",
@@ -102,18 +99,15 @@ defmodule PhilomenaWeb.MarkdownRenderer do
                   size: ImageView.select_version(img, :thumb_small),
                   conn: conn
                 )
-                |> safe_to_string()
 
               [_id, suffix] when not img.approved ->
                 ">>#{img.id}#{suffix}#{link_suffix(img)}"
 
               [_id, ""] ->
                 link(">>#{img.id}#{link_suffix(img)}", to: "/images/#{img.id}")
-                |> safe_to_string()
 
               [_id, suffix] when suffix in ["t", "s", "p"] ->
                 link(">>#{img.id}#{suffix}#{link_suffix(img)}", to: "/images/#{img.id}")
-                |> safe_to_string()
 
               # This condition should never trigger, but let's leave it here just in case.
               [id, suffix] ->
@@ -124,7 +118,12 @@ defmodule PhilomenaWeb.MarkdownRenderer do
             ">>#{text}"
         end
 
-      [text, rendered]
+      string_contents =
+        rendered
+        |> Phoenix.HTML.Safe.to_iodata()
+        |> IO.iodata_to_binary()
+
+      [text, string_contents]
     end)
     |> Map.new(fn [id, html] -> {id, html} end)
   end

diff --git a/lib/philomena_web/stats_updater.ex b/lib/philomena_web/stats_updater.ex
@@ -45,13 +45,15 @@ defmodule PhilomenaWeb.StatsUpdater do
         distinct_creators: distinct_creators,
         images_in_galleries: images_in_galleries
       )
+      |> Phoenix.HTML.Safe.to_iodata()
+      |> IO.iodata_to_binary()
 
     now = DateTime.utc_now() |> DateTime.truncate(:second)
 
     static_page = %{
       title: "Statistics",
       slug: "stats",
-      body: Phoenix.HTML.safe_to_string(result),
+      body: result,
       created_at: now,
       updated_at: now
     }

diff --git a/lib/philomena_web/views/tag_view.ex b/lib/philomena_web/views/tag_view.ex
@@ -103,13 +103,17 @@ defmodule PhilomenaWeb.TagView do
     {tags, shipping, data}
   end
 
+  # This is a rendered template, so raw/1 has no effect on safety
+  # sobelow_skip ["XSS.Raw"]
   defp render_quick_tags({tags, shipping, data}, conn) do
     render(PhilomenaWeb.TagView, "_quick_tag_table.html",
       tags: tags,
       shipping: shipping,
       data: data,
       conn: conn
     )
+    |> Phoenix.HTML.Safe.to_iodata()
+    |> Phoenix.HTML.raw()
   end
 
   defp names_in_tab("default", data) do