fix: don't normalize html by default

it breaks remote posts a little and frontend sanitizes again anyway so
might as well store the original stuff they serve us? could be malicious
tho, if FE doesn't sanitize again could lead to stored XSS, maybe
reconsider?
This commit is contained in:
əlemi 2024-07-04 01:50:39 +02:00
parent 0f97d7656a
commit 9f81116ba3
Signed by: alemi
GPG key ID: A4895B84D311642C
2 changed files with 4 additions and 5 deletions

View file

@ -25,7 +25,6 @@ serde_json = "1"
serde_default = "0.1" serde_default = "0.1"
serde-inline-default = "0.2" serde-inline-default = "0.2"
toml = "0.8" toml = "0.8"
mdhtml = { path = "../../utils/mdhtml", features = ["markdown"] }
uriproxy = { path = "../../utils/uriproxy" } uriproxy = { path = "../../utils/uriproxy" }
httpsign = { path = "../../utils/httpsign/" } httpsign = { path = "../../utils/httpsign/" }
jrd = "0.1" jrd = "0.1"

View file

@ -25,10 +25,10 @@ impl Normalizer for crate::Context {
async fn insert_object(&self, object: impl apb::Object, tx: &impl ConnectionTrait) -> Result<crate::model::object::Model, NormalizerError> { async fn insert_object(&self, object: impl apb::Object, tx: &impl ConnectionTrait) -> Result<crate::model::object::Model, NormalizerError> {
let mut object_model = AP::object(&object)?; let mut object_model = AP::object(&object)?;
// make sure content only contains a safe subset of html // TOO should we make sure content only contains a safe subset of html ? frontend does it too
if let Some(content) = object_model.content { // if let Some(content) = object_model.content {
object_model.content = Some(mdhtml::safe_html(&content)); // object_model.content = Some(mdhtml::safe_html(&content));
} // }
// fix context for remote posts // fix context for remote posts
// > if any link is broken or we get rate limited, the whole insertion fails which is // > if any link is broken or we get rate limited, the whole insertion fails which is