From 2a8dfe4572043ea7df225782418366d9871c1881 Mon Sep 17 00:00:00 2001
From: Liam <byteslice@airmail.cc>
Date: Sat, 27 Apr 2024 02:06:07 -0400
Subject: [PATCH] Use modern Phoenix HTML escaping
---
lib/philomena_web/markdown_renderer.ex | 13 ++++++-------
lib/philomena_web/stats_updater.ex | 4 +++-
lib/philomena_web/views/tag_view.ex | 4 ++++
3 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/lib/philomena_web/markdown_renderer.ex b/lib/philomena_web/markdown_renderer.ex
index a37b1a42..508a960f 100644
--- a/lib/philomena_web/markdown_renderer.ex
+++ b/lib/philomena_web/markdown_renderer.ex
@@ -3,7 +3,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do
alias Philomena.Images.Image
alias Philomena.Repo
alias PhilomenaWeb.ImageView
- import Phoenix.HTML
import Phoenix.HTML.Link
import Ecto.Query
@@ -84,7 +83,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do
size: ImageView.select_version(img, :medium),
conn: conn
)
- |> safe_to_string()
[_id, "t"] when not img.hidden_from_users and img.approved ->
Phoenix.View.render(ImageView, "_image_target.html",
@@ -93,7 +91,6 @@ defmodule PhilomenaWeb.MarkdownRenderer do
size: ImageView.select_version(img, :small),
conn: conn
)
- |> safe_to_string()
[_id, "s"] when not img.hidden_from_users and img.approved ->
Phoenix.View.render(ImageView, "_image_target.html",
@@ -102,18 +99,15 @@ defmodule PhilomenaWeb.MarkdownRenderer do
size: ImageView.select_version(img, :thumb_small),
conn: conn
)
- |> safe_to_string()
[_id, suffix] when not img.approved ->
">>#{img.id}#{suffix}#{link_suffix(img)}"
[_id, ""] ->
link(">>#{img.id}#{link_suffix(img)}", to: "/images/#{img.id}")
- |> safe_to_string()
[_id, suffix] when suffix in ["t", "s", "p"] ->
link(">>#{img.id}#{suffix}#{link_suffix(img)}", to: "/images/#{img.id}")
- |> safe_to_string()
# This condition should never trigger, but let's leave it here just in case.
[id, suffix] ->
@@ -124,7 +118,12 @@ defmodule PhilomenaWeb.MarkdownRenderer do
">>#{text}"
end
- [text, rendered]
+ string_contents =
+ rendered
+ |> Phoenix.HTML.Safe.to_iodata()
+ |> IO.iodata_to_binary()
+
+ [text, string_contents]
end)
|> Map.new(fn [id, html] -> {id, html} end)
end
diff --git a/lib/philomena_web/stats_updater.ex b/lib/philomena_web/stats_updater.ex
index caecc6b6..dc53324d 100644
--- a/lib/philomena_web/stats_updater.ex
+++ b/lib/philomena_web/stats_updater.ex
@@ -45,13 +45,15 @@ defmodule PhilomenaWeb.StatsUpdater do
distinct_creators: distinct_creators,
images_in_galleries: images_in_galleries
)
+ |> Phoenix.HTML.Safe.to_iodata()
+ |> IO.iodata_to_binary()
now = DateTime.utc_now() |> DateTime.truncate(:second)
static_page = %{
title: "Statistics",
slug: "stats",
- body: Phoenix.HTML.safe_to_string(result),
+ body: result,
created_at: now,
updated_at: now
}
diff --git a/lib/philomena_web/views/tag_view.ex b/lib/philomena_web/views/tag_view.ex
index ada8ffdd..bcbc1e22 100644
--- a/lib/philomena_web/views/tag_view.ex
+++ b/lib/philomena_web/views/tag_view.ex
@@ -103,6 +103,8 @@ defmodule PhilomenaWeb.TagView do
{tags, shipping, data}
end
+ # This is a rendered template, so raw/1 has no effect on safety
+ # sobelow_skip ["XSS.Raw"]
defp render_quick_tags({tags, shipping, data}, conn) do
render(PhilomenaWeb.TagView, "_quick_tag_table.html",
tags: tags,
@@ -110,6 +112,8 @@ defmodule PhilomenaWeb.TagView do
data: data,
conn: conn
)
+ |> Phoenix.HTML.Safe.to_iodata()
+ |> Phoenix.HTML.raw()
end
defp names_in_tab("default", data) do