Use modern Phoenix HTML escaping (#236)

2024-11-27 13:47:58 +01:00 · 2024-04-27 14:01:02 -04:00 · 2024-04-27 14:01:02 -04:00 · 101aec001b
commit 101aec001b
parent eb79ee45d2
3 changed files with 13 additions and 8 deletions
--- a/lib/philomena_web/markdown_renderer.ex
+++ b/lib/philomena_web/markdown_renderer.ex
@ -3,7 +3,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do
  alias Philomena.Images.Image
  alias Philomena.Repo
  alias PhilomenaWeb.ImageView
-  import Phoenix.HTML
  import Phoenix.HTML.Link
  import Ecto.Query

@ -84,7 +83,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do
                  size: ImageView.select_version(img, :medium),
                  conn: conn
                )
-                |> safe_to_string()

              [_id, "t"] when not img.hidden_from_users and img.approved ->
                Phoenix.View.render(ImageView, "_image_target.html",
@ -93,7 +91,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do
                  size: ImageView.select_version(img, :small),
                  conn: conn
                )
-                |> safe_to_string()

              [_id, "s"] when not img.hidden_from_users and img.approved ->
                Phoenix.View.render(ImageView, "_image_target.html",
@ -102,18 +99,15 @@ defmodule PhilomenaWeb.MarkdownRenderer do
                  size: ImageView.select_version(img, :thumb_small),
                  conn: conn
                )
-                |> safe_to_string()

              [_id, suffix] when not img.approved ->
                ">>#{img.id}#{suffix}#{link_suffix(img)}"

              [_id, ""] ->
                link(">>#{img.id}#{link_suffix(img)}", to: "/images/#{img.id}")
-                |> safe_to_string()

              [_id, suffix] when suffix in ["t", "s", "p"] ->
                link(">>#{img.id}#{suffix}#{link_suffix(img)}", to: "/images/#{img.id}")
-                |> safe_to_string()

              # This condition should never trigger, but let's leave it here just in case.
              [id, suffix] ->
@ -124,7 +118,12 @@ defmodule PhilomenaWeb.MarkdownRenderer do
            ">>#{text}"
        end

-      [text, rendered]
+      string_contents =
+        rendered
+        |> Phoenix.HTML.Safe.to_iodata()
+        |> IO.iodata_to_binary()
+
+      [text, string_contents]
    end)
    |> Map.new(fn [id, html] -> {id, html} end)
  end
--- a/lib/philomena_web/stats_updater.ex
+++ b/lib/philomena_web/stats_updater.ex
@ -45,13 +45,15 @@ defmodule PhilomenaWeb.StatsUpdater do
        distinct_creators: distinct_creators,
        images_in_galleries: images_in_galleries
      )
+      |> Phoenix.HTML.Safe.to_iodata()
+      |> IO.iodata_to_binary()

    now = DateTime.utc_now() |> DateTime.truncate(:second)

    static_page = %{
      title: "Statistics",
      slug: "stats",
-      body: Phoenix.HTML.safe_to_string(result),
+      body: result,
      created_at: now,
      updated_at: now
    }
--- a/lib/philomena_web/views/tag_view.ex
+++ b/lib/philomena_web/views/tag_view.ex
@ -103,6 +103,8 @@ defmodule PhilomenaWeb.TagView do
    {tags, shipping, data}
  end

+  # This is a rendered template, so raw/1 has no effect on safety
+  # sobelow_skip ["XSS.Raw"]
  defp render_quick_tags({tags, shipping, data}, conn) do
    render(PhilomenaWeb.TagView, "_quick_tag_table.html",
      tags: tags,
@ -110,6 +112,8 @@ defmodule PhilomenaWeb.TagView do
      data: data,
      conn: conn
    )
+    |> Phoenix.HTML.Safe.to_iodata()
+    |> Phoenix.HTML.raw()
  end

  defp names_in_tab("default", data) do