Merge branch 'preload-escaping' into 'develop'

B Preload: Make sure that the preloaded json is html safe

See merge request pleroma/pleroma!3901
This commit is contained in:
lain 2023-06-06 13:31:08 +00:00
commit 43458cb7a1
2 changed files with 3 additions and 2 deletions

View File

@ -0,0 +1 @@
Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.

View File

@ -11,7 +11,7 @@ defmodule Pleroma.Web.Preload do
terms =
params
|> parser.generate_terms()
|> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v))} end)
|> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v, escape: :html_safe))} end)
|> Enum.into(%{})
Map.merge(acc, terms)
@ -19,7 +19,7 @@ defmodule Pleroma.Web.Preload do
rendered_html =
preload_data
|> Jason.encode!()
|> Jason.encode!(escape: :html_safe)
|> build_script_tag()
|> HTML.safe_to_string()