PonyMirrors/philomena
1
0
Fork 0
mirror of https://github.com/philomena-dev/philomena.git synced 2024-11-23 20:18:00 +01:00
Code Issues Projects Releases Packages Wiki Activity

Ensure HTML raw insertion is not used in template (#247)

Browse source
This commit is contained in:
liamwhite 2024-05-03 23:15:14 -04:00 committed by GitHub
parent 852f870ccf
commit 32619be58b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
19 changed files with 40 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
lib/philomena_web/markdown_renderer.ex
View file

@ -10,6 +10,8 @@ defmodule PhilomenaWeb.MarkdownRenderer do
hd(render_collection([item], conn)) hd(render_collection([item], conn))
end end
# This is rendered Markdown
# sobelow_skip ["XSS.Raw"]
def render_collection(collection, conn) do def render_collection(collection, conn) do
representations = representations =
collection collection
@ -19,15 +21,21 @@ defmodule PhilomenaWeb.MarkdownRenderer do
|> render_representations(conn) |> render_representations(conn)
Enum.map(collection, fn %{body: text} -> Enum.map(collection, fn %{body: text} ->
Markdown.to_html(text || "", representations) (text || "")
|> Markdown.to_html(representations)
|> Phoenix.HTML.raw()
end) end)
end end
# This is rendered Markdown for use on static pages
# sobelow_skip ["XSS.Raw"]
def render_unsafe(text, conn) do def render_unsafe(text, conn) do
images = find_images(text) images = find_images(text)
representations = render_representations(images, conn) representations = render_representations(images, conn)
Markdown.to_html_unsafe(text, representations) text
|> Markdown.to_html_unsafe(representations)
|> Phoenix.HTML.raw()
end end
defp find_images(text) do defp find_images(text) do

2
lib/philomena_web/templates/admin/dnp_entry/index.html.slime
View file

@ -44,7 +44,7 @@ h2 Do-Not-Post Requests
= request.dnp_type = request.dnp_type
td td
== body = body
td class=dnp_entry_row_class(request) td class=dnp_entry_row_class(request)
=> pretty_state(request) => pretty_state(request)

2
lib/philomena_web/templates/admin/mod_note/_table.html.slime
View file

@ -13,7 +13,7 @@ table.table
= link_to_noted_thing(@conn, note.notable) = link_to_noted_thing(@conn, note.notable)
td td
== body = body
td td
= pretty_time note.created_at = pretty_time note.created_at

2
lib/philomena_web/templates/admin/report/show.html.slime
View file

@ -11,7 +11,7 @@ article.block.communication
br br
= render PhilomenaWeb.UserAttributionView, "_anon_user_title.html", object: @report, conn: @conn = render PhilomenaWeb.UserAttributionView, "_anon_user_title.html", object: @report, conn: @conn
.communication__body__text .communication__body__text
==<> @body =<> @body
.block__content.communication__options .block__content.communication__options
.flex.flex--wrap.flex--spaced-out .flex.flex--wrap.flex--spaced-out

4
lib/philomena_web/templates/comment/_comment.html.slime
View file

@ -45,10 +45,10 @@ article.block.communication id="comment_#{@comment.id}"
| This comment's contents have been destroyed. | This comment's contents have been destroyed.
- else - else
br br
==<> @body =<> @body
- else - else
==<> @body =<> @body
.block__content.communication__options .block__content.communication__options
.flex.flex--wrap.flex--spaced-out .flex.flex--wrap.flex--spaced-out

4
lib/philomena_web/templates/comment/_comment_with_image.html.slime
View file

@ -28,10 +28,10 @@ article.block.communication id="comment_#{@comment.id}"
| This comment's contents have been destroyed. | This comment's contents have been destroyed.
- else - else
br br
==<> @body =<> @body
- else - else
==<> @body =<> @body
.block__content.communication__options .block__content.communication__options
.flex.flex--wrap.flex--spaced-out .flex.flex--wrap.flex--spaced-out

2
lib/philomena_web/templates/dnp_entry/index.html.slime
View file

@ -59,7 +59,7 @@ h3 The List
= entry.dnp_type = entry.dnp_type
td td
== body = body
= if @status_column do = if @status_column do
td td

6
lib/philomena_web/templates/dnp_entry/show.html.slime
View file

@ -28,19 +28,19 @@ h2
tr tr
td Conditions: td Conditions:
td td
== @conditions = @conditions
= if can?(@conn, :show_reason, @dnp_entry) do = if can?(@conn, :show_reason, @dnp_entry) do
tr tr
td Reason: td Reason:
td td
== @reason = @reason
= if can?(@conn, :show_feedback, @dnp_entry) do = if can?(@conn, :show_feedback, @dnp_entry) do
tr tr
td Instructions: td Instructions:
td td
== @instructions = @instructions
tr tr
td Feedback: td Feedback:
td td

4
lib/philomena_web/templates/image/_description.html.slime
View file

@ -10,7 +10,7 @@
' Edit ' Edit
.block__content .block__content
p p
= if String.length(@body) > 0 do = if String.length(@image.description) > 0 do
== @body = @body
- else - else
em No description provided. em No description provided.

2
lib/philomena_web/templates/message/_message.html.slime
View file

@ -25,7 +25,7 @@ article.block.communication
= render PhilomenaWeb.UserAttributionView, "_user_title.html", object: %{user: @message.from}, conn: @conn = render PhilomenaWeb.UserAttributionView, "_user_title.html", object: %{user: @message.from}, conn: @conn
.communication__body__text .communication__body__text
== @body = @body
.block__content.communication__options .block__content.communication__options
.flex.flex--wrap.flex--spaced-out .flex.flex--wrap.flex--spaced-out

2
lib/philomena_web/templates/page/show.html.slime
View file

@ -12,4 +12,4 @@ p
i.fa.fa-edit> i.fa.fa-edit>
' Edit ' Edit
== @rendered = @rendered

4
lib/philomena_web/templates/post/_post.html.slime
View file

@ -45,10 +45,10 @@ article.block.communication id="post_#{@post.id}"
| This post's contents have been destroyed. | This post's contents have been destroyed.
- else - else
br br
==<> @body =<> @body
- else - else
==<> @body =<> @body
.block__content.communication__options .block__content.communication__options
.flex.flex--wrap.flex--spaced-out .flex.flex--wrap.flex--spaced-out

2
lib/philomena_web/templates/post/preview/create.html.slime
View file

@ -7,4 +7,4 @@
= render PhilomenaWeb.UserAttributionView, "_anon_user.html", object: @post, conn: @conn, awards: true = render PhilomenaWeb.UserAttributionView, "_anon_user.html", object: @post, conn: @conn, awards: true
.communication__body__text .communication__body__text
== @body = @body

2
lib/philomena_web/templates/profile/_about_me.html.slime
View file

@ -1,7 +1,7 @@
.block__content.profile-about .block__content.profile-about
= cond do = cond do
- @user.description not in [nil, ""] -> - @user.description not in [nil, ""] ->
== @about_me = @about_me
- current?(@user, @conn.assigns.current_user) -> - current?(@user, @conn.assigns.current_user) ->
em em

2
lib/philomena_web/templates/profile/_commission.html.slime
View file

@ -17,7 +17,7 @@
/ Lotta space here / Lotta space here
br br
== @commission_information = @commission_information
br br
br br

4
lib/philomena_web/templates/profile/commission/_listing_items.html.slime
View file

@ -42,13 +42,13 @@
br br
br br
== description = description
td td
| $ | $
= Decimal.round(item.base_price, 2) = Decimal.round(item.base_price, 2)
td td
== add_ons = add_ons
= if can?(@conn, :edit, @commission) do = if can?(@conn, :edit, @commission) do
td td

8
lib/philomena_web/templates/profile/commission/_listing_sidebar.html.slime
View file

@ -24,14 +24,14 @@
br br
br br
== @rendered.information = @rendered.information
/ Contact information block / Contact information block
.block .block
.block__header .block__header
span.block__header__title Contact information span.block__header__title Contact information
.block__content.commission__block_body .block__content.commission__block_body
== @rendered.contact = @rendered.contact
/ Categories block / Categories block
.block .block
@ -48,7 +48,7 @@
.block__header .block__header
span.block__header__title Will draw/create span.block__header__title Will draw/create
.block__content.commission__block_body .block__content.commission__block_body
== @rendered.will_create = @rendered.will_create
/ Will not create block / Will not create block
= if @commission.will_not_create not in [nil, ""] do = if @commission.will_not_create not in [nil, ""] do
@ -56,7 +56,7 @@
.block__header .block__header
span.block__header__title Will not draw/create span.block__header__title Will not draw/create
.block__content.commission__block_body .block__content.commission__block_body
== @rendered.will_not_create = @rendered.will_not_create
/ Artist link block / Artist link block
/.block /.block

4
lib/philomena_web/templates/profile/show.html.slime
View file

@ -146,13 +146,13 @@
tbody tbody
= for {body, mod_note} <- @mod_notes do = for {body, mod_note} <- @mod_notes do
tr tr
td == body td = body
td = pretty_time(mod_note.created_at) td = pretty_time(mod_note.created_at)
= if can_index_user?(@conn) do = if can_index_user?(@conn) do
.block .block
a.block__header--single-item href=Routes.profile_scratchpad_path(@conn, :edit, @user) Moderation Scratchpad a.block__header--single-item href=Routes.profile_scratchpad_path(@conn, :edit, @user) Moderation Scratchpad
.block__content.profile-about .block__content.profile-about
== @scratchpad = @scratchpad
.column-layout__main .column-layout__main
= render PhilomenaWeb.ProfileView, "_statistics.html", user: @user, statistics: @statistics, conn: @conn = render PhilomenaWeb.ProfileView, "_statistics.html", user: @user, statistics: @statistics, conn: @conn

4
lib/philomena_web/templates/tag/_tag_info_row.html.slime
View file

@ -101,7 +101,7 @@
= if @tag.description not in [nil, ""] do = if @tag.description not in [nil, ""] do
strong> Detailed description: strong> Detailed description:
br br
== @body = @body
= if Enum.any?(@dnp_entries) do = if Enum.any?(@dnp_entries) do
hr hr
@ -114,7 +114,7 @@
strong strong
=> entry.dnp_type => entry.dnp_type
==> body => body
| ( | (
= link "more info", to: Routes.dnp_entry_path(@conn, :show, entry) = link "more info", to: Routes.dnp_entry_path(@conn, :show, entry)