From cbc5b8cebd9255e0c49e8fb02daed4680be1d336 Mon Sep 17 00:00:00 2001 From: Lain Soykaf Date: Fri, 2 Jun 2023 17:03:21 +0400 Subject: [PATCH 1/2] B Preload: Make sure that the preloaded json is html safe --- lib/pleroma/web/preload.ex | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/pleroma/web/preload.ex b/lib/pleroma/web/preload.ex index 4485383f9..6a4a8885e 100644 --- a/lib/pleroma/web/preload.ex +++ b/lib/pleroma/web/preload.ex @@ -11,7 +11,7 @@ def build_tags(_conn, params) do terms = params |> parser.generate_terms() - |> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v))} end) + |> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v, escape: :html_safe))} end) |> Enum.into(%{}) Map.merge(acc, terms) @@ -19,7 +19,7 @@ def build_tags(_conn, params) do rendered_html = preload_data - |> Jason.encode!() + |> Jason.encode!(escape: :html_safe) |> build_script_tag() |> HTML.safe_to_string() From 40d40d67a3cee4d57f9200d0980df1b21d08a834 Mon Sep 17 00:00:00 2001 From: Lain Soykaf Date: Fri, 2 Jun 2023 17:09:23 +0400 Subject: [PATCH 2/2] Add changelog. --- changelog.d/3901.security | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/3901.security diff --git a/changelog.d/3901.security b/changelog.d/3901.security new file mode 100644 index 000000000..a3d8bd01f --- /dev/null +++ b/changelog.d/3901.security @@ -0,0 +1 @@ +Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.