fix: don't normalize html by default
it breaks remote posts a little and frontend sanitizes again anyway so might as well store the original stuff they serve us? could be malicious tho, if FE doesn't sanitize again could lead to stored XSS, maybe reconsider?
This commit is contained in:
parent
0f97d7656a
commit
9f81116ba3
2 changed files with 4 additions and 5 deletions
|
@ -25,7 +25,6 @@ serde_json = "1"
|
|||
serde_default = "0.1"
|
||||
serde-inline-default = "0.2"
|
||||
toml = "0.8"
|
||||
mdhtml = { path = "../../utils/mdhtml", features = ["markdown"] }
|
||||
uriproxy = { path = "../../utils/uriproxy" }
|
||||
httpsign = { path = "../../utils/httpsign/" }
|
||||
jrd = "0.1"
|
||||
|
|
|
@ -25,10 +25,10 @@ impl Normalizer for crate::Context {
|
|||
async fn insert_object(&self, object: impl apb::Object, tx: &impl ConnectionTrait) -> Result<crate::model::object::Model, NormalizerError> {
|
||||
let mut object_model = AP::object(&object)?;
|
||||
|
||||
// make sure content only contains a safe subset of html
|
||||
if let Some(content) = object_model.content {
|
||||
object_model.content = Some(mdhtml::safe_html(&content));
|
||||
}
|
||||
// TOO should we make sure content only contains a safe subset of html ? frontend does it too
|
||||
// if let Some(content) = object_model.content {
|
||||
// object_model.content = Some(mdhtml::safe_html(&content));
|
||||
// }
|
||||
|
||||
// fix context for remote posts
|
||||
// > if any link is broken or we get rate limited, the whole insertion fails which is
|
||||
|
|
Loading…
Reference in a new issue