From f8310114a6a4154118e54ebaac6f4a96941be4a6 Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Sat, 10 Nov 2018 12:04:09 +0000
Subject: [PATCH] activitypub: object view: sanitize both the activity and the
 object when an activity is given for rendering

---
 lib/pleroma/web/activity_pub/views/object_view.ex | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/pleroma/web/activity_pub/views/object_view.ex b/lib/pleroma/web/activity_pub/views/object_view.ex
index df734a871..1911ddfb7 100644
--- a/lib/pleroma/web/activity_pub/views/object_view.ex
+++ b/lib/pleroma/web/activity_pub/views/object_view.ex
@@ -1,11 +1,23 @@
 defmodule Pleroma.Web.ActivityPub.ObjectView do
   use Pleroma.Web, :view
+  alias Pleroma.{Object, Activity}
   alias Pleroma.Web.ActivityPub.Transmogrifier
 
-  def render("object.json", %{object: object}) do
+  def render("object.json", %{object: %Object{} = object}) do
     base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
 
     additional = Transmogrifier.prepare_object(object.data)
     Map.merge(base, additional)
   end
+
+  def render("object.json", %{object: %Activity{} = activity}) do
+    base = Pleroma.Web.ActivityPub.Utils.make_json_ld_header()
+    object = Object.normalize(activity.data["object"])
+
+    additional =
+      Transmogrifier.prepare_object(activity.data)
+      |> Map.put("object", Transmogrifier.prepare_object(object.data))
+
+    Map.merge(base, additional)
+  end
 end