From 9f81116ba32c5d8372c5890f8a51f0492c5a72ec Mon Sep 17 00:00:00 2001 From: alemi Date: Thu, 4 Jul 2024 01:50:39 +0200 Subject: [PATCH] fix: don't normalize html by default it breaks remote posts a little and frontend sanitizes again anyway so might as well store the original stuff they serve us? could be malicious tho, if FE doesn't sanitize again could lead to stored XSS, maybe reconsider? --- upub/core/Cargo.toml | 1 - upub/core/src/traits/normalize.rs | 8 ++++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/upub/core/Cargo.toml b/upub/core/Cargo.toml index 06a643e..ec61028 100644 --- a/upub/core/Cargo.toml +++ b/upub/core/Cargo.toml @@ -25,7 +25,6 @@ serde_json = "1" serde_default = "0.1" serde-inline-default = "0.2" toml = "0.8" -mdhtml = { path = "../../utils/mdhtml", features = ["markdown"] } uriproxy = { path = "../../utils/uriproxy" } httpsign = { path = "../../utils/httpsign/" } jrd = "0.1" diff --git a/upub/core/src/traits/normalize.rs b/upub/core/src/traits/normalize.rs index 37c1e44..6456709 100644 --- a/upub/core/src/traits/normalize.rs +++ b/upub/core/src/traits/normalize.rs @@ -25,10 +25,10 @@ impl Normalizer for crate::Context { async fn insert_object(&self, object: impl apb::Object, tx: &impl ConnectionTrait) -> Result { let mut object_model = AP::object(&object)?; - // make sure content only contains a safe subset of html - if let Some(content) = object_model.content { - object_model.content = Some(mdhtml::safe_html(&content)); - } + // TOO should we make sure content only contains a safe subset of html ? frontend does it too + // if let Some(content) = object_model.content { + // object_model.content = Some(mdhtml::safe_html(&content)); + // } // fix context for remote posts // > if any link is broken or we get rate limited, the whole insertion fails which is