static_fe: Sanitize HTML in posts

Note: Seems to have different sanitization with TwitterCard generator giving the following: <meta content=\"“alert('xss')”\" property=\"twitter:description\">
author: Haelwenn (lanodan) Monnier <contact@hacktivis.me> 2020-03-15 15:45:57 +0100
committer: Haelwenn (lanodan) Monnier <contact@hacktivis.me> 2020-03-15 20:44:04 +0100
commit: 0ac6e296549f43e553bdd2350050efcf95d3b6fa (patch)
tree: ce1668ebf3704803b370402911a308e90e71c9b2 /lib
parent: fa4ec17c841a65eccacdc35c98b6c047549b305b (diff)
download: pleroma-0ac6e296549f43e553bdd2350050efcf95d3b6fa.tar.gz
pleroma-0ac6e296549f43e553bdd2350050efcf95d3b6fa.zip
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/pleroma/web/static_fe/static_fe_controller.ex b/lib/pleroma/web/static_fe/static_fe_controller.ex
index 5027d5c23..0b77f949c 100644
--- a/lib/pleroma/web/static_fe/static_fe_controller.ex
+++ b/lib/pleroma/web/static_fe/static_fe_controller.ex
@@ -58,10 +58,17 @@ defmodule Pleroma.Web.StaticFE.StaticFEController do
         _ -> data["url"] || data["external_url"] || data["id"]
       end
 
+    content =
+      if data["content"] do
+        Pleroma.HTML.filter_tags(data["content"])
+      else
+        nil
+      end
+
     %{
       user: user,
       title: get_title(activity.object),
-      content: data["content"] || nil,
+      content: content,
       attachment: data["attachment"],
       link: link,
       published: data["published"],
author	Haelwenn (lanodan) Monnier <contact@hacktivis.me>	2020-03-15 15:45:57 +0100
committer	Haelwenn (lanodan) Monnier <contact@hacktivis.me>	2020-03-15 20:44:04 +0100
commit	0ac6e296549f43e553bdd2350050efcf95d3b6fa (patch)
tree	ce1668ebf3704803b370402911a308e90e71c9b2 /lib
parent	fa4ec17c841a65eccacdc35c98b6c047549b305b (diff)
download	pleroma-0ac6e296549f43e553bdd2350050efcf95d3b6fa.tar.gz pleroma-0ac6e296549f43e553bdd2350050efcf95d3b6fa.zip