Merge branch 'preload-escaping' into 'develop'
B Preload: Make sure that the preloaded json is html safe See merge request pleroma/pleroma!3901
This commit is contained in:
commit
43458cb7a1
1
changelog.d/3901.security
Normal file
1
changelog.d/3901.security
Normal file
@ -0,0 +1 @@
|
|||||||
|
Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
|
@ -11,7 +11,7 @@ defmodule Pleroma.Web.Preload do
|
|||||||
terms =
|
terms =
|
||||||
params
|
params
|
||||||
|> parser.generate_terms()
|
|> parser.generate_terms()
|
||||||
|> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v))} end)
|
|> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v, escape: :html_safe))} end)
|
||||||
|> Enum.into(%{})
|
|> Enum.into(%{})
|
||||||
|
|
||||||
Map.merge(acc, terms)
|
Map.merge(acc, terms)
|
||||||
@ -19,7 +19,7 @@ defmodule Pleroma.Web.Preload do
|
|||||||
|
|
||||||
rendered_html =
|
rendered_html =
|
||||||
preload_data
|
preload_data
|
||||||
|> Jason.encode!()
|
|> Jason.encode!(escape: :html_safe)
|
||||||
|> build_script_tag()
|
|> build_script_tag()
|
||||||
|> HTML.safe_to_string()
|
|> HTML.safe_to_string()
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user