Correctly escape user-defined names in emails

Closes #1151 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2022-10-31 13:00:45 +01:00
parent 695d773d50
commit 470a3e594b
28 changed files with 162 additions and 118 deletions
--- a/lib/service/metadata/actor.ex
+++ b/lib/service/metadata/actor.ex
@@ -5,7 +5,10 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Actors.Actor do
  alias Mobilizon.Web.Endpoint
  alias Mobilizon.Web.JsonLD.ObjectView
  alias Mobilizon.Web.Router.Helpers, as: Routes
-  import Mobilizon.Service.Metadata.Utils, only: [process_description: 2, default_description: 1]
+
+  import Mobilizon.Service.Metadata.Utils,
+    only: [process_description: 2, default_description: 1, escape_text: 1]
+
  import Mobilizon.Web.Gettext

  def build_tags(_actor, _locale \\ "en")
@@ -19,7 +22,7 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Actors.Actor do
      end)

    [
-      Tag.tag(:meta, property: "og:title", content: Actor.display_name_and_username(group)),
+      Tag.tag(:meta, property: "og:title", content: actor_display_name_escaped(group)),
      Tag.tag(:meta,
        property: "og:url",
        content:
@@ -34,7 +37,7 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Actors.Actor do
      Tag.tag(:meta, property: "og:type", content: "profile"),
      Tag.tag(:meta,
        property: "profile:username",
-        content: Actor.preferred_username_and_domain(group)
+        content: group |> Actor.preferred_username_and_domain() |> escape_text()
      ),
      Tag.tag(:meta, property: "twitter:card", content: "summary"),
      Tag.tag(:meta, property: "twitter:site", content: "@joinmobilizon")
@@ -67,7 +70,7 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Actors.Actor do
        %{
          "@type" => "ListItem",
          "position" => 1,
-          "name" => Actor.display_name(group)
+          "name" => actor_display_name_escaped(group)
        }
      ]
    }
@@ -87,16 +90,14 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Actors.Actor do
        Tag.tag(:link,
          rel: "alternate",
          type: "application/atom+xml",
-          title:
-            gettext("%{name}'s feed", name: group.name || group.preferred_username) |> HTML.raw(),
+          title: gettext("%{name}'s feed", name: actor_display_name_escaped(group)) |> HTML.raw(),
          href:
            Routes.feed_url(Endpoint, :actor, Actor.preferred_username_and_domain(group), :atom)
        ),
        Tag.tag(:link,
          rel: "alternate",
          type: "text/calendar",
-          title:
-            gettext("%{name}'s feed", name: group.name || group.preferred_username) |> HTML.raw(),
+          title: gettext("%{name}'s feed", name: actor_display_name_escaped(group)) |> HTML.raw(),
          href:
            Routes.feed_url(
              Endpoint,
@@ -131,4 +132,10 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Actors.Actor do
    |> ObjectView.render(%{group: group})
    |> Jason.encode!()
  end
+
+  defp actor_display_name_escaped(actor) do
+    actor
+    |> Actor.display_name()
+    |> escape_text()
+  end
 end
--- a/lib/service/metadata/comment.ex
+++ b/lib/service/metadata/comment.ex
@@ -1,11 +1,13 @@
 defimpl Mobilizon.Service.Metadata, for: Mobilizon.Discussions.Comment do
  alias Phoenix.HTML.Tag
+  alias Mobilizon.Actors.Actor
  alias Mobilizon.Discussions.Comment
+  import Mobilizon.Service.Metadata.Utils, only: [escape_text: 1]

  @spec build_tags(Comment.t(), String.t()) :: list(Phoenix.HTML.safe())
  def build_tags(%Comment{deleted_at: nil} = comment, _locale) do
    [
-      Tag.tag(:meta, property: "og:title", content: comment.actor.preferred_username),
+      Tag.tag(:meta, property: "og:title", content: escape_text(Actor.display_name(comment.actor))),
      Tag.tag(:meta, property: "og:url", content: comment.url),
      Tag.tag(:meta, property: "og:description", content: comment.text),
      Tag.tag(:meta, property: "og:type", content: "website"),
--- a/lib/service/metadata/event.ex
+++ b/lib/service/metadata/event.ex
@@ -9,15 +9,21 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Events.Event do
  alias Mobilizon.Web.Router.Helpers, as: Routes

  import Mobilizon.Service.Metadata.Utils,
-    only: [process_description: 2, strip_tags: 1, datetime_to_string: 2, render_address!: 1]
+    only: [
+      process_description: 2,
+      strip_tags: 1,
+      datetime_to_string: 2,
+      render_address!: 1,
+      escape_text: 1
+    ]

  def build_tags(%Event{} = event, locale \\ "en") do
    formatted_description = description(event, locale)

    tags = [
-      Tag.content_tag(:title, event.title <> " - Mobilizon"),
+      Tag.content_tag(:title, escape_text(event.title) <> " - Mobilizon"),
      Tag.tag(:meta, name: "description", content: process_description(event.description, locale)),
-      Tag.tag(:meta, property: "og:title", content: event.title),
+      Tag.tag(:meta, property: "og:title", content: escape_text(event.title)),
      Tag.tag(:meta, property: "og:url", content: event.url),
      Tag.tag(:meta, property: "og:description", content: formatted_description),
      Tag.tag(:meta, property: "og:type", content: "website"),
@@ -48,7 +54,7 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Events.Event do
              %{
                "@type" => "ListItem",
                "position" => 1,
-                "name" => Actor.display_name(event.attributed_to),
+                "name" => event.attributed_to |> Actor.display_name() |> escape_text(),
                "item" =>
                  Endpoint
                  |> Routes.page_url(
@@ -85,7 +91,7 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Events.Event do
              %{
                "@type" => "ListItem",
                "position" => 2,
-                "name" => event.title
+                "name" => escape_text(event.title)
              }
            ]
          }
--- a/lib/service/metadata/post.ex
+++ b/lib/service/metadata/post.ex
@@ -7,14 +7,16 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Posts.Post do
  alias Mobilizon.Web.Endpoint
  alias Mobilizon.Web.JsonLD.ObjectView
  alias Mobilizon.Web.Router.Helpers, as: Routes
-  import Mobilizon.Service.Metadata.Utils, only: [process_description: 2, strip_tags: 1]
+
+  import Mobilizon.Service.Metadata.Utils,
+    only: [process_description: 2, strip_tags: 1, escape_text: 1]

  def build_tags(%Post{} = post, locale \\ "en") do
    post = Map.put(post, :body, process_description(post.body, locale))

    tags =
      [
-        Tag.tag(:meta, property: "og:title", content: post.title),
+        Tag.tag(:meta, property: "og:title", content: escape_text(post.title)),
        Tag.tag(:meta, property: "og:url", content: post.url),
        Tag.tag(:meta, property: "og:description", content: post.body),
        Tag.tag(:meta, property: "og:type", content: "article"),
@@ -31,7 +33,7 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Posts.Post do
        %{
          "@type" => "ListItem",
          "position" => 1,
-          "name" => Actor.display_name(post.attributed_to),
+          "name" => post.attributed_to |> Actor.display_name() |> escape_text,
          "item" =>
            Endpoint
            |> Routes.page_url(
--- a/lib/service/metadata/utils.ex
+++ b/lib/service/metadata/utils.ex
@@ -74,4 +74,11 @@ defmodule Mobilizon.Service.Metadata.Utils do

  @spec stringify_tag(String.t(), String.t()) :: String.t()
  defp stringify_tag(tag, acc) when is_binary(tag), do: acc <> tag
+
+  @spec escape_text(String.t()) :: String.t()
+  def escape_text(text) do
+    text
+    |> HTML.html_escape()
+    |> HTML.safe_to_string()
+  end
 end