fix: don't normalize html by default

it breaks remote posts a little and frontend sanitizes again anyway so might as well store the original stuff they serve us? could be malicious tho, if FE doesn't sanitize again could lead to stored XSS, maybe reconsider?
2024-07-04 01:50:39 +02:00 · 2024-07-04 01:50:39 +02:00 · 9f81116ba3
commit 9f81116ba3
parent 0f97d7656a
2 changed files with 4 additions and 5 deletions
--- a/upub/core/Cargo.toml
+++ b/upub/core/Cargo.toml
@ -25,7 +25,6 @@ serde_json = "1"
 serde_default = "0.1"
 serde-inline-default = "0.2"
 toml = "0.8"
-mdhtml = { path = "../../utils/mdhtml", features = ["markdown"] }
 uriproxy = { path = "../../utils/uriproxy" }
 httpsign = { path = "../../utils/httpsign/" }
 jrd = "0.1"
--- a/upub/core/src/traits/normalize.rs
+++ b/upub/core/src/traits/normalize.rs
@ -25,10 +25,10 @@ impl Normalizer for crate::Context {
 	async fn insert_object(&self, object: impl apb::Object, tx: &impl ConnectionTrait) -> Result<crate::model::object::Model, NormalizerError> {
 		let mut object_model = AP::object(&object)?;

-		// make sure content only contains a safe subset of html
-		if let Some(content) = object_model.content {
-			object_model.content = Some(mdhtml::safe_html(&content));
-		}
+		// TOO should we make sure content only contains a safe subset of html ? frontend does it too
+		// if let Some(content) = object_model.content {
+		//	object_model.content = Some(mdhtml::safe_html(&content));
+		// }

 		// fix context for remote posts
 		// > if any link is broken or we get rate limited, the whole insertion fails which is