mirror of
https://github.com/philomena-dev/philomena.git
synced 2024-11-30 14:57:59 +01:00
Use modern Phoenix HTML escaping (#236)
This commit is contained in:
liamwhite
GitHub
parent
eb79ee45d2
commit
101aec001b
3 changed files with 13 additions and 8 deletions
|
|
@ -3,7 +3,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do
|
||||||
alias Philomena.Images.Image
|
alias Philomena.Images.Image
|
||||||
alias Philomena.Repo
|
alias Philomena.Repo
|
||||||
alias PhilomenaWeb.ImageView
|
alias PhilomenaWeb.ImageView
|
||||||
import Phoenix.HTML
|
|
||||||
import Phoenix.HTML.Link
|
import Phoenix.HTML.Link
|
||||||
import Ecto.Query
|
import Ecto.Query
|
||||||
|
|
||||||
|
|
@ -84,7 +83,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do
|
||||||
size: ImageView.select_version(img, :medium),
|
size: ImageView.select_version(img, :medium),
|
||||||
conn: conn
|
conn: conn
|
||||||
)
|
)
|
||||||
|> safe_to_string()
|
|
||||||
|
|
||||||
[_id, "t"] when not img.hidden_from_users and img.approved ->
|
[_id, "t"] when not img.hidden_from_users and img.approved ->
|
||||||
Phoenix.View.render(ImageView, "_image_target.html",
|
Phoenix.View.render(ImageView, "_image_target.html",
|
||||||
|
|
@ -93,7 +91,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do
|
||||||
size: ImageView.select_version(img, :small),
|
size: ImageView.select_version(img, :small),
|
||||||
conn: conn
|
conn: conn
|
||||||
)
|
)
|
||||||
|> safe_to_string()
|
|
||||||
|
|
||||||
[_id, "s"] when not img.hidden_from_users and img.approved ->
|
[_id, "s"] when not img.hidden_from_users and img.approved ->
|
||||||
Phoenix.View.render(ImageView, "_image_target.html",
|
Phoenix.View.render(ImageView, "_image_target.html",
|
||||||
|
|
@ -102,18 +99,15 @@ defmodule PhilomenaWeb.MarkdownRenderer do
|
||||||
size: ImageView.select_version(img, :thumb_small),
|
size: ImageView.select_version(img, :thumb_small),
|
||||||
conn: conn
|
conn: conn
|
||||||
)
|
)
|
||||||
|> safe_to_string()
|
|
||||||
|
|
||||||
[_id, suffix] when not img.approved ->
|
[_id, suffix] when not img.approved ->
|
||||||
">>#{img.id}#{suffix}#{link_suffix(img)}"
|
">>#{img.id}#{suffix}#{link_suffix(img)}"
|
||||||
|
|
||||||
[_id, ""] ->
|
[_id, ""] ->
|
||||||
link(">>#{img.id}#{link_suffix(img)}", to: "/images/#{img.id}")
|
link(">>#{img.id}#{link_suffix(img)}", to: "/images/#{img.id}")
|
||||||
|> safe_to_string()
|
|
||||||
|
|
||||||
[_id, suffix] when suffix in ["t", "s", "p"] ->
|
[_id, suffix] when suffix in ["t", "s", "p"] ->
|
||||||
link(">>#{img.id}#{suffix}#{link_suffix(img)}", to: "/images/#{img.id}")
|
link(">>#{img.id}#{suffix}#{link_suffix(img)}", to: "/images/#{img.id}")
|
||||||
|> safe_to_string()
|
|
||||||
|
|
||||||
# This condition should never trigger, but let's leave it here just in case.
|
# This condition should never trigger, but let's leave it here just in case.
|
||||||
[id, suffix] ->
|
[id, suffix] ->
|
||||||
|
|
@ -124,7 +118,12 @@ defmodule PhilomenaWeb.MarkdownRenderer do
|
||||||
">>#{text}"
|
">>#{text}"
|
||||||
end
|
end
|
||||||
|
|
||||||
[text, rendered]
|
string_contents =
|
||||||
|
rendered
|
||||||
|
|> Phoenix.HTML.Safe.to_iodata()
|
||||||
|
|> IO.iodata_to_binary()
|
||||||
|
|
||||||
|
[text, string_contents]
|
||||||
end)
|
end)
|
||||||
|> Map.new(fn [id, html] -> {id, html} end)
|
|> Map.new(fn [id, html] -> {id, html} end)
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -45,13 +45,15 @@ defmodule PhilomenaWeb.StatsUpdater do
|
||||||
distinct_creators: distinct_creators,
|
distinct_creators: distinct_creators,
|
||||||
images_in_galleries: images_in_galleries
|
images_in_galleries: images_in_galleries
|
||||||
)
|
)
|
||||||
|
|> Phoenix.HTML.Safe.to_iodata()
|
||||||
|
|> IO.iodata_to_binary()
|
||||||
|
|
||||||
now = DateTime.utc_now() |> DateTime.truncate(:second)
|
now = DateTime.utc_now() |> DateTime.truncate(:second)
|
||||||
|
|
||||||
static_page = %{
|
static_page = %{
|
||||||
title: "Statistics",
|
title: "Statistics",
|
||||||
slug: "stats",
|
slug: "stats",
|
||||||
body: Phoenix.HTML.safe_to_string(result),
|
body: result,
|
||||||
created_at: now,
|
created_at: now,
|
||||||
updated_at: now
|
updated_at: now
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -103,6 +103,8 @@ defmodule PhilomenaWeb.TagView do
|
||||||
{tags, shipping, data}
|
{tags, shipping, data}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# This is a rendered template, so raw/1 has no effect on safety
|
||||||
|
# sobelow_skip ["XSS.Raw"]
|
||||||
defp render_quick_tags({tags, shipping, data}, conn) do
|
defp render_quick_tags({tags, shipping, data}, conn) do
|
||||||
render(PhilomenaWeb.TagView, "_quick_tag_table.html",
|
render(PhilomenaWeb.TagView, "_quick_tag_table.html",
|
||||||
tags: tags,
|
tags: tags,
|
||||||
|
|
@ -110,6 +112,8 @@ defmodule PhilomenaWeb.TagView do
|
||||||
data: data,
|
data: data,
|
||||||
conn: conn
|
conn: conn
|
||||||
)
|
)
|
||||||
|
|> Phoenix.HTML.Safe.to_iodata()
|
||||||
|
|> Phoenix.HTML.raw()
|
||||||
end
|
end
|
||||||
|
|
||||||
defp names_in_tab("default", data) do
|
defp names_in_tab("default", data) do
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue