From e919e6621308cb6a823d5439e1a64ba7422e4ba8 Mon Sep 17 00:00:00 2001
From: Liam <byteslice@airmail.cc>
Date: Thu, 2 May 2024 22:29:09 -0400
Subject: [PATCH] Ensure HTML raw insertion is not used in template
---
lib/philomena_web/markdown_renderer.ex | 12 ++++++++++--
.../templates/admin/dnp_entry/index.html.slime | 2 +-
.../templates/admin/mod_note/_table.html.slime | 2 +-
.../templates/admin/report/show.html.slime | 2 +-
.../templates/comment/_comment.html.slime | 4 ++--
.../templates/comment/_comment_with_image.html.slime | 4 ++--
.../templates/dnp_entry/index.html.slime | 2 +-
.../templates/dnp_entry/show.html.slime | 6 +++---
.../templates/image/_description.html.slime | 4 ++--
.../templates/message/_message.html.slime | 2 +-
lib/philomena_web/templates/page/show.html.slime | 2 +-
lib/philomena_web/templates/post/_post.html.slime | 4 ++--
.../templates/post/preview/create.html.slime | 2 +-
.../templates/profile/_about_me.html.slime | 2 +-
.../templates/profile/_commission.html.slime | 2 +-
.../profile/commission/_listing_items.html.slime | 4 ++--
.../profile/commission/_listing_sidebar.html.slime | 8 ++++----
lib/philomena_web/templates/profile/show.html.slime | 4 ++--
.../templates/tag/_tag_info_row.html.slime | 4 ++--
19 files changed, 40 insertions(+), 32 deletions(-)
diff --git a/lib/philomena_web/markdown_renderer.ex b/lib/philomena_web/markdown_renderer.ex
index 508a960f..7caff5c9 100644
--- a/lib/philomena_web/markdown_renderer.ex
+++ b/lib/philomena_web/markdown_renderer.ex
@@ -10,6 +10,8 @@ defmodule PhilomenaWeb.MarkdownRenderer do
hd(render_collection([item], conn))
end
+ # This is rendered Markdown
+ # sobelow_skip ["XSS.Raw"]
def render_collection(collection, conn) do
representations =
collection
@@ -19,15 +21,21 @@ defmodule PhilomenaWeb.MarkdownRenderer do
|> render_representations(conn)
Enum.map(collection, fn %{body: text} ->
- Markdown.to_html(text || "", representations)
+ (text || "")
+ |> Markdown.to_html(representations)
+ |> Phoenix.HTML.raw()
end)
end
+ # This is rendered Markdown for use on static pages
+ # sobelow_skip ["XSS.Raw"]
def render_unsafe(text, conn) do
images = find_images(text)
representations = render_representations(images, conn)
- Markdown.to_html_unsafe(text, representations)
+ text
+ |> Markdown.to_html_unsafe(representations)
+ |> Phoenix.HTML.raw()
end
defp find_images(text) do
diff --git a/lib/philomena_web/templates/admin/dnp_entry/index.html.slime b/lib/philomena_web/templates/admin/dnp_entry/index.html.slime
index 50f351dd..bc646d59 100644
--- a/lib/philomena_web/templates/admin/dnp_entry/index.html.slime
+++ b/lib/philomena_web/templates/admin/dnp_entry/index.html.slime
@@ -44,7 +44,7 @@ h2 Do-Not-Post Requests
= request.dnp_type
td
- == body
+ = body
td class=dnp_entry_row_class(request)
=> pretty_state(request)
diff --git a/lib/philomena_web/templates/admin/mod_note/_table.html.slime b/lib/philomena_web/templates/admin/mod_note/_table.html.slime
index fa457243..a47663a7 100644
--- a/lib/philomena_web/templates/admin/mod_note/_table.html.slime
+++ b/lib/philomena_web/templates/admin/mod_note/_table.html.slime
@@ -13,7 +13,7 @@ table.table
= link_to_noted_thing(@conn, note.notable)
td
- == body
+ = body
td
= pretty_time note.created_at
diff --git a/lib/philomena_web/templates/admin/report/show.html.slime b/lib/philomena_web/templates/admin/report/show.html.slime
index deec703b..f046aae3 100644
--- a/lib/philomena_web/templates/admin/report/show.html.slime
+++ b/lib/philomena_web/templates/admin/report/show.html.slime
@@ -11,7 +11,7 @@ article.block.communication
br
= render PhilomenaWeb.UserAttributionView, "_anon_user_title.html", object: @report, conn: @conn
.communication__body__text
- ==<> @body
+ =<> @body
.block__content.communication__options
.flex.flex--wrap.flex--spaced-out
diff --git a/lib/philomena_web/templates/comment/_comment.html.slime b/lib/philomena_web/templates/comment/_comment.html.slime
index e79f3852..508202ef 100644
--- a/lib/philomena_web/templates/comment/_comment.html.slime
+++ b/lib/philomena_web/templates/comment/_comment.html.slime
@@ -45,10 +45,10 @@ article.block.communication id="comment_#{@comment.id}"
| This comment's contents have been destroyed.
- else
br
- ==<> @body
+ =<> @body
- else
- ==<> @body
+ =<> @body
.block__content.communication__options
.flex.flex--wrap.flex--spaced-out
diff --git a/lib/philomena_web/templates/comment/_comment_with_image.html.slime b/lib/philomena_web/templates/comment/_comment_with_image.html.slime
index ed7da1fe..8faaca31 100644
--- a/lib/philomena_web/templates/comment/_comment_with_image.html.slime
+++ b/lib/philomena_web/templates/comment/_comment_with_image.html.slime
@@ -28,10 +28,10 @@ article.block.communication id="comment_#{@comment.id}"
| This comment's contents have been destroyed.
- else
br
- ==<> @body
+ =<> @body
- else
- ==<> @body
+ =<> @body
.block__content.communication__options
.flex.flex--wrap.flex--spaced-out
diff --git a/lib/philomena_web/templates/dnp_entry/index.html.slime b/lib/philomena_web/templates/dnp_entry/index.html.slime
index b76ba967..01952ede 100644
--- a/lib/philomena_web/templates/dnp_entry/index.html.slime
+++ b/lib/philomena_web/templates/dnp_entry/index.html.slime
@@ -59,7 +59,7 @@ h3 The List
= entry.dnp_type
td
- == body
+ = body
= if @status_column do
td
diff --git a/lib/philomena_web/templates/dnp_entry/show.html.slime b/lib/philomena_web/templates/dnp_entry/show.html.slime
index 572fa09e..a672573a 100644
--- a/lib/philomena_web/templates/dnp_entry/show.html.slime
+++ b/lib/philomena_web/templates/dnp_entry/show.html.slime
@@ -28,19 +28,19 @@ h2
tr
td Conditions:
td
- == @conditions
+ = @conditions
= if can?(@conn, :show_reason, @dnp_entry) do
tr
td Reason:
td
- == @reason
+ = @reason
= if can?(@conn, :show_feedback, @dnp_entry) do
tr
td Instructions:
td
- == @instructions
+ = @instructions
tr
td Feedback:
td
diff --git a/lib/philomena_web/templates/image/_description.html.slime b/lib/philomena_web/templates/image/_description.html.slime
index 7f5b2533..5f1fa052 100644
--- a/lib/philomena_web/templates/image/_description.html.slime
+++ b/lib/philomena_web/templates/image/_description.html.slime
@@ -10,7 +10,7 @@
' Edit
.block__content
p
- = if String.length(@body) > 0 do
- == @body
+ = if String.length(@image.description) > 0 do
+ = @body
- else
em No description provided.
diff --git a/lib/philomena_web/templates/message/_message.html.slime b/lib/philomena_web/templates/message/_message.html.slime
index bf24ea6c..27f4bd96 100644
--- a/lib/philomena_web/templates/message/_message.html.slime
+++ b/lib/philomena_web/templates/message/_message.html.slime
@@ -25,7 +25,7 @@ article.block.communication
= render PhilomenaWeb.UserAttributionView, "_user_title.html", object: %{user: @message.from}, conn: @conn
.communication__body__text
- == @body
+ = @body
.block__content.communication__options
.flex.flex--wrap.flex--spaced-out
diff --git a/lib/philomena_web/templates/page/show.html.slime b/lib/philomena_web/templates/page/show.html.slime
index fa4bc580..9eadee5f 100644
--- a/lib/philomena_web/templates/page/show.html.slime
+++ b/lib/philomena_web/templates/page/show.html.slime
@@ -12,4 +12,4 @@ p
i.fa.fa-edit>
' Edit
-== @rendered
+= @rendered
diff --git a/lib/philomena_web/templates/post/_post.html.slime b/lib/philomena_web/templates/post/_post.html.slime
index 64712c84..d6f5c6a8 100644
--- a/lib/philomena_web/templates/post/_post.html.slime
+++ b/lib/philomena_web/templates/post/_post.html.slime
@@ -45,10 +45,10 @@ article.block.communication id="post_#{@post.id}"
| This post's contents have been destroyed.
- else
br
- ==<> @body
+ =<> @body
- else
- ==<> @body
+ =<> @body
.block__content.communication__options
.flex.flex--wrap.flex--spaced-out
diff --git a/lib/philomena_web/templates/post/preview/create.html.slime b/lib/philomena_web/templates/post/preview/create.html.slime
index 8b5febb8..469efc80 100644
--- a/lib/philomena_web/templates/post/preview/create.html.slime
+++ b/lib/philomena_web/templates/post/preview/create.html.slime
@@ -7,4 +7,4 @@
= render PhilomenaWeb.UserAttributionView, "_anon_user.html", object: @post, conn: @conn, awards: true
.communication__body__text
- == @body
+ = @body
diff --git a/lib/philomena_web/templates/profile/_about_me.html.slime b/lib/philomena_web/templates/profile/_about_me.html.slime
index 31aba220..e4c4a782 100644
--- a/lib/philomena_web/templates/profile/_about_me.html.slime
+++ b/lib/philomena_web/templates/profile/_about_me.html.slime
@@ -1,7 +1,7 @@
.block__content.profile-about
= cond do
- @user.description not in [nil, ""] ->
- == @about_me
+ = @about_me
- current?(@user, @conn.assigns.current_user) ->
em
diff --git a/lib/philomena_web/templates/profile/_commission.html.slime b/lib/philomena_web/templates/profile/_commission.html.slime
index b6a47d74..db8e8d46 100644
--- a/lib/philomena_web/templates/profile/_commission.html.slime
+++ b/lib/philomena_web/templates/profile/_commission.html.slime
@@ -17,7 +17,7 @@
/ Lotta space here
br
- == @commission_information
+ = @commission_information
br
br
diff --git a/lib/philomena_web/templates/profile/commission/_listing_items.html.slime b/lib/philomena_web/templates/profile/commission/_listing_items.html.slime
index b57a80b1..778daa01 100644
--- a/lib/philomena_web/templates/profile/commission/_listing_items.html.slime
+++ b/lib/philomena_web/templates/profile/commission/_listing_items.html.slime
@@ -42,13 +42,13 @@
br
br
- == description
+ = description
td
| $
= Decimal.round(item.base_price, 2)
td
- == add_ons
+ = add_ons
= if can?(@conn, :edit, @commission) do
td
diff --git a/lib/philomena_web/templates/profile/commission/_listing_sidebar.html.slime b/lib/philomena_web/templates/profile/commission/_listing_sidebar.html.slime
index ec68f27e..544ed939 100644
--- a/lib/philomena_web/templates/profile/commission/_listing_sidebar.html.slime
+++ b/lib/philomena_web/templates/profile/commission/_listing_sidebar.html.slime
@@ -24,14 +24,14 @@
br
br
- == @rendered.information
+ = @rendered.information
/ Contact information block
.block
.block__header
span.block__header__title Contact information
.block__content.commission__block_body
- == @rendered.contact
+ = @rendered.contact
/ Categories block
.block
@@ -48,7 +48,7 @@
.block__header
span.block__header__title Will draw/create
.block__content.commission__block_body
- == @rendered.will_create
+ = @rendered.will_create
/ Will not create block
= if @commission.will_not_create not in [nil, ""] do
@@ -56,7 +56,7 @@
.block__header
span.block__header__title Will not draw/create
.block__content.commission__block_body
- == @rendered.will_not_create
+ = @rendered.will_not_create
/ Artist link block
/.block
diff --git a/lib/philomena_web/templates/profile/show.html.slime b/lib/philomena_web/templates/profile/show.html.slime
index ef368950..21eacf74 100644
--- a/lib/philomena_web/templates/profile/show.html.slime
+++ b/lib/philomena_web/templates/profile/show.html.slime
@@ -146,13 +146,13 @@
tbody
= for {body, mod_note} <- @mod_notes do
tr
- td == body
+ td = body
td = pretty_time(mod_note.created_at)
= if can_index_user?(@conn) do
.block
a.block__header--single-item href=Routes.profile_scratchpad_path(@conn, :edit, @user) Moderation Scratchpad
.block__content.profile-about
- == @scratchpad
+ = @scratchpad
.column-layout__main
= render PhilomenaWeb.ProfileView, "_statistics.html", user: @user, statistics: @statistics, conn: @conn
diff --git a/lib/philomena_web/templates/tag/_tag_info_row.html.slime b/lib/philomena_web/templates/tag/_tag_info_row.html.slime
index de013d35..5e38db97 100644
--- a/lib/philomena_web/templates/tag/_tag_info_row.html.slime
+++ b/lib/philomena_web/templates/tag/_tag_info_row.html.slime
@@ -101,7 +101,7 @@
= if @tag.description not in [nil, ""] do
strong> Detailed description:
br
- == @body
+ = @body
= if Enum.any?(@dnp_entries) do
hr
@@ -114,7 +114,7 @@
strong
=> entry.dnp_type
- ==> body
+ => body
| (
= link "more info", to: Routes.dnp_entry_path(@conn, :show, entry)