Drop HTMLSanitizeEx and fix title sanitizing

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2020-06-24 16:33:59 +02:00
parent 0f489757f7
commit 83aa005faf
12 changed files with 40 additions and 17 deletions
--- a/lib/service/export/icalendar.ex
+++ b/lib/service/export/icalendar.ex
@@ -7,6 +7,7 @@ defmodule Mobilizon.Service.Export.ICalendar do
  alias Mobilizon.Actors.Actor
  alias Mobilizon.Addresses.Address
  alias Mobilizon.Events.{Event, FeedToken}
+  alias Mobilizon.Service.Formatter.HTML
  alias Mobilizon.Storage.Page
  alias Mobilizon.Users.User

@@ -31,7 +32,7 @@ defmodule Mobilizon.Service.Export.ICalendar do
      dtstart: event.begins_on,
      dtstamp: event.publish_at || DateTime.utc_now(),
      dtend: event.ends_on,
-      description: HtmlSanitizeEx.strip_tags(event.description),
+      description: HTML.strip_tags(event.description),
      uid: event.uuid,
      url: event.url,
      geo: Address.coords(event.physical_address),
--- a/lib/service/formatter/html.ex
+++ b/lib/service/formatter/html.ex
@@ -14,5 +14,15 @@ defmodule Mobilizon.Service.Formatter.HTML do

  def filter_tags(html), do: Sanitizer.scrub(html, DefaultScrubbler)

+  def strip_tags(html) do
+    case FastSanitize.strip_tags(html) do
+      {:ok, html} ->
+        html
+
+      _ ->
+        raise "Failed to filter tags"
+    end
+  end
+
  def filter_tags_for_oembed(html), do: Sanitizer.scrub(html, OEmbed)
 end
--- a/lib/service/metadata/event.ex
+++ b/lib/service/metadata/event.ex
@@ -2,6 +2,7 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Events.Event do
  alias Phoenix.HTML
  alias Phoenix.HTML.Tag
  alias Mobilizon.Events.Event
+  alias Mobilizon.Service.Formatter.HTML, as: HTMLFormatter
  alias Mobilizon.Web.JsonLD.ObjectView
  alias Mobilizon.Web.MediaProxy
  import Mobilizon.Web.Gettext
@@ -49,15 +50,15 @@ defimpl Mobilizon.Service.Metadata, for: Mobilizon.Events.Event do

  defp process_description(description, _locale) do
    description
-    |> HtmlSanitizeEx.strip_tags()
+    |> HTMLFormatter.strip_tags()
    |> String.slice(0..200)
    |> (&"#{&1}…").()
  end

  # Insert JSON-LD schema by hand because Tag.content_tag wants to escape it
-  defp json(%Event{} = event) do
+  defp json(%Event{title: title} = event) do
    "event.json"
-    |> ObjectView.render(%{event: event})
+    |> ObjectView.render(%{event: %{event | title: HTMLFormatter.strip_tags(title)}})
    |> Jason.encode!()
  end
 end
--- a/lib/service/metadata/instance.ex
+++ b/lib/service/metadata/instance.ex
@@ -7,6 +7,7 @@ defmodule Mobilizon.Service.Metadata.Instance do
  alias Phoenix.HTML.Tag

  alias Mobilizon.Config
+  alias Mobilizon.Service.Formatter.HTML, as: HTMLFormatter
  alias Mobilizon.Web.Endpoint

  def build_tags do
@@ -40,7 +41,7 @@ defmodule Mobilizon.Service.Metadata.Instance do

  defp process_description(description) do
    description
-    |> HtmlSanitizeEx.strip_tags()
+    |> HTMLFormatter.strip_tags()
    |> String.slice(0..200)
    |> (&"#{&1}…").()
  end
--- a/lib/service/workers/build_search.ex
+++ b/lib/service/workers/build_search.ex
@@ -7,6 +7,7 @@ defmodule Mobilizon.Service.Workers.BuildSearch do

  alias Mobilizon.Events
  alias Mobilizon.Events.Event
+  alias Mobilizon.Service.Formatter.HTML
  alias Mobilizon.Storage.Repo

  use Mobilizon.Service.Workers.Helper, queue: "search"
@@ -44,7 +45,7 @@ defmodule Mobilizon.Service.Workers.BuildSearch do
      [
        event.id,
        event.title,
-        HtmlSanitizeEx.strip_tags(event.description),
+        HTML.strip_tags(event.description),
        get_tags_string(event)
      ]
    )