From 101aec001b8b5d854e629e2350eac4bbf92d8e69 Mon Sep 17 00:00:00 2001 From: liamwhite Date: Sat, 27 Apr 2024 14:01:02 -0400 Subject: [PATCH] Use modern Phoenix HTML escaping (#236) --- lib/philomena_web/markdown_renderer.ex | 13 ++++++------- lib/philomena_web/stats_updater.ex | 4 +++- lib/philomena_web/views/tag_view.ex | 4 ++++ 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/lib/philomena_web/markdown_renderer.ex b/lib/philomena_web/markdown_renderer.ex index a37b1a42a..508a960fa 100644 --- a/lib/philomena_web/markdown_renderer.ex +++ b/lib/philomena_web/markdown_renderer.ex @@ -3,7 +3,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do alias Philomena.Images.Image alias Philomena.Repo alias PhilomenaWeb.ImageView - import Phoenix.HTML import Phoenix.HTML.Link import Ecto.Query @@ -84,7 +83,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do size: ImageView.select_version(img, :medium), conn: conn ) - |> safe_to_string() [_id, "t"] when not img.hidden_from_users and img.approved -> Phoenix.View.render(ImageView, "_image_target.html", @@ -93,7 +91,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do size: ImageView.select_version(img, :small), conn: conn ) - |> safe_to_string() [_id, "s"] when not img.hidden_from_users and img.approved -> Phoenix.View.render(ImageView, "_image_target.html", @@ -102,18 +99,15 @@ defmodule PhilomenaWeb.MarkdownRenderer do size: ImageView.select_version(img, :thumb_small), conn: conn ) - |> safe_to_string() [_id, suffix] when not img.approved -> ">>#{img.id}#{suffix}#{link_suffix(img)}" [_id, ""] -> link(">>#{img.id}#{link_suffix(img)}", to: "/images/#{img.id}") - |> safe_to_string() [_id, suffix] when suffix in ["t", "s", "p"] -> link(">>#{img.id}#{suffix}#{link_suffix(img)}", to: "/images/#{img.id}") - |> safe_to_string() # This condition should never trigger, but let's leave it here just in case. [id, suffix] -> @@ -124,7 +118,12 @@ defmodule PhilomenaWeb.MarkdownRenderer do ">>#{text}" end - [text, rendered] + string_contents = + rendered + |> Phoenix.HTML.Safe.to_iodata() + |> IO.iodata_to_binary() + + [text, string_contents] end) |> Map.new(fn [id, html] -> {id, html} end) end diff --git a/lib/philomena_web/stats_updater.ex b/lib/philomena_web/stats_updater.ex index caecc6b61..dc53324d2 100644 --- a/lib/philomena_web/stats_updater.ex +++ b/lib/philomena_web/stats_updater.ex @@ -45,13 +45,15 @@ defmodule PhilomenaWeb.StatsUpdater do distinct_creators: distinct_creators, images_in_galleries: images_in_galleries ) + |> Phoenix.HTML.Safe.to_iodata() + |> IO.iodata_to_binary() now = DateTime.utc_now() |> DateTime.truncate(:second) static_page = %{ title: "Statistics", slug: "stats", - body: Phoenix.HTML.safe_to_string(result), + body: result, created_at: now, updated_at: now } diff --git a/lib/philomena_web/views/tag_view.ex b/lib/philomena_web/views/tag_view.ex index ada8ffdde..bcbc1e229 100644 --- a/lib/philomena_web/views/tag_view.ex +++ b/lib/philomena_web/views/tag_view.ex @@ -103,6 +103,8 @@ defmodule PhilomenaWeb.TagView do {tags, shipping, data} end + # This is a rendered template, so raw/1 has no effect on safety + # sobelow_skip ["XSS.Raw"] defp render_quick_tags({tags, shipping, data}, conn) do render(PhilomenaWeb.TagView, "_quick_tag_table.html", tags: tags, @@ -110,6 +112,8 @@ defmodule PhilomenaWeb.TagView do data: data, conn: conn ) + |> Phoenix.HTML.Safe.to_iodata() + |> Phoenix.HTML.raw() end defp names_in_tab("default", data) do