escaping summary and other fields in xml templates

This commit is contained in:
Alexander Strizhakov 2020-11-10 10:44:22 +03:00
parent db07b538a5
commit 0c68b9ac13
No known key found for this signature in database
GPG key ID: 022896A53AEF1381
4 changed files with 29 additions and 54 deletions

View file

@ -83,7 +83,7 @@ def activity_content(%{"content" => content}) do
def activity_content(_), do: "" def activity_content(_), do: ""
def activity_context(activity), do: activity.data["context"] def activity_context(activity), do: escape(activity.data["context"])
def attachment_href(attachment) do def attachment_href(attachment) do
attachment["url"] attachment["url"]

View file

@ -12,7 +12,7 @@
<link href="<%= activity_context(@activity) %>" rel="ostatus:conversation"/> <link href="<%= activity_context(@activity) %>" rel="ostatus:conversation"/>
<%= if @data["summary"] do %> <%= if @data["summary"] do %>
<summary><%= @data["summary"] %></summary> <summary><%= escape(@data["summary"]) %></summary>
<% end %> <% end %>
<%= if @activity.local do %> <%= if @activity.local do %>

View file

@ -12,7 +12,7 @@
<link rel="ostatus:conversation"><%= activity_context(@activity) %></link> <link rel="ostatus:conversation"><%= activity_context(@activity) %></link>
<%= if @data["summary"] do %> <%= if @data["summary"] do %>
<description><%= @data["summary"] %></description> <description><%= escape(@data["summary"]) %></description>
<% end %> <% end %>
<%= if @activity.local do %> <%= if @activity.local do %>

View file

@ -12,16 +12,17 @@ defmodule Pleroma.Web.Feed.UserControllerTest do
alias Pleroma.Object alias Pleroma.Object
alias Pleroma.User alias Pleroma.User
alias Pleroma.Web.CommonAPI alias Pleroma.Web.CommonAPI
alias Pleroma.Web.Feed.FeedView
setup do: clear_config([:static_fe, :enabled], false) setup do: clear_config([:static_fe, :enabled], false)
describe "feed" do describe "feed" do
setup do: clear_config([:feed]) setup do: clear_config([:feed])
test "gets an atom feed", %{conn: conn} do setup do
Config.put( Config.put(
[:feed, :post_title], [:feed, :post_title],
%{max_length: 10, omission: "..."} %{max_length: 15, omission: "..."}
) )
activity = insert(:note_activity) activity = insert(:note_activity)
@ -29,7 +30,8 @@ test "gets an atom feed", %{conn: conn} do
note = note =
insert(:note, insert(:note,
data: %{ data: %{
"content" => "This is :moominmamma: note ", "content" => "This & this is :moominmamma: note ",
"source" => "This & this is :moominmamma: note ",
"attachment" => [ "attachment" => [
%{ %{
"url" => [ "url" => [
@ -37,7 +39,9 @@ test "gets an atom feed", %{conn: conn} do
] ]
} }
], ],
"inReplyTo" => activity.data["id"] "inReplyTo" => activity.data["id"],
"context" => "2hu & as",
"summary" => "2hu & as"
} }
) )
@ -48,7 +52,7 @@ test "gets an atom feed", %{conn: conn} do
insert(:note, insert(:note,
user: user, user: user,
data: %{ data: %{
"content" => "42 This is :moominmamma: note ", "content" => "42 & This is :moominmamma: note ",
"inReplyTo" => activity.data["id"] "inReplyTo" => activity.data["id"]
} }
) )
@ -56,6 +60,10 @@ test "gets an atom feed", %{conn: conn} do
note_activity2 = insert(:note_activity, note: note2) note_activity2 = insert(:note_activity, note: note2)
object = Object.normalize(note_activity) object = Object.normalize(note_activity)
[user: user, object: object, max_id: note_activity2.id]
end
test "gets an atom feed", %{conn: conn, user: user, object: object, max_id: max_id} do
resp = resp =
conn conn
|> put_req_header("accept", "application/atom+xml") |> put_req_header("accept", "application/atom+xml")
@ -67,13 +75,15 @@ test "gets an atom feed", %{conn: conn} do
|> SweetXml.parse() |> SweetXml.parse()
|> SweetXml.xpath(~x"//entry/title/text()"l) |> SweetXml.xpath(~x"//entry/title/text()"l)
assert activity_titles == ['42 This...', 'This is...'] assert activity_titles == ['42 &amp; Thi...', 'This &amp; t...']
assert resp =~ object.data["content"] assert resp =~ FeedView.escape(object.data["content"])
assert resp =~ FeedView.escape(object.data["summary"])
assert resp =~ FeedView.escape(object.data["context"])
resp = resp =
conn conn
|> put_req_header("accept", "application/atom+xml") |> put_req_header("accept", "application/atom+xml")
|> get("/users/#{user.nickname}/feed", %{"max_id" => note_activity2.id}) |> get("/users/#{user.nickname}/feed", %{"max_id" => max_id})
|> response(200) |> response(200)
activity_titles = activity_titles =
@ -81,47 +91,10 @@ test "gets an atom feed", %{conn: conn} do
|> SweetXml.parse() |> SweetXml.parse()
|> SweetXml.xpath(~x"//entry/title/text()"l) |> SweetXml.xpath(~x"//entry/title/text()"l)
assert activity_titles == ['This is...'] assert activity_titles == ['This &amp; t...']
end end
test "gets a rss feed", %{conn: conn} do test "gets a rss feed", %{conn: conn, user: user, object: object, max_id: max_id} do
Pleroma.Config.put(
[:feed, :post_title],
%{max_length: 10, omission: "..."}
)
activity = insert(:note_activity)
note =
insert(:note,
data: %{
"content" => "This is :moominmamma: note ",
"attachment" => [
%{
"url" => [
%{"mediaType" => "image/png", "href" => "https://pleroma.gov/image.png"}
]
}
],
"inReplyTo" => activity.data["id"]
}
)
note_activity = insert(:note_activity, note: note)
user = User.get_cached_by_ap_id(note_activity.data["actor"])
note2 =
insert(:note,
user: user,
data: %{
"content" => "42 This is :moominmamma: note ",
"inReplyTo" => activity.data["id"]
}
)
note_activity2 = insert(:note_activity, note: note2)
object = Object.normalize(note_activity)
resp = resp =
conn conn
|> put_req_header("accept", "application/rss+xml") |> put_req_header("accept", "application/rss+xml")
@ -133,13 +106,15 @@ test "gets a rss feed", %{conn: conn} do
|> SweetXml.parse() |> SweetXml.parse()
|> SweetXml.xpath(~x"//item/title/text()"l) |> SweetXml.xpath(~x"//item/title/text()"l)
assert activity_titles == ['42 This...', 'This is...'] assert activity_titles == ['42 &amp; Thi...', 'This &amp; t...']
assert resp =~ object.data["content"] assert resp =~ FeedView.escape(object.data["content"])
assert resp =~ FeedView.escape(object.data["summary"])
assert resp =~ FeedView.escape(object.data["context"])
resp = resp =
conn conn
|> put_req_header("accept", "application/rss+xml") |> put_req_header("accept", "application/rss+xml")
|> get("/users/#{user.nickname}/feed.rss", %{"max_id" => note_activity2.id}) |> get("/users/#{user.nickname}/feed.rss", %{"max_id" => max_id})
|> response(200) |> response(200)
activity_titles = activity_titles =
@ -147,7 +122,7 @@ test "gets a rss feed", %{conn: conn} do
|> SweetXml.parse() |> SweetXml.parse()
|> SweetXml.xpath(~x"//item/title/text()"l) |> SweetXml.xpath(~x"//item/title/text()"l)
assert activity_titles == ['This is...'] assert activity_titles == ['This &amp; t...']
end end
test "returns 404 for a missing feed", %{conn: conn} do test "returns 404 for a missing feed", %{conn: conn} do