Merge branch 'preload-escaping' into 'develop'

B Preload: Make sure that the preloaded json is html safe See merge request pleroma/pleroma!3901
author: lain <lain@soykaf.club> 2023-06-06 13:31:08 +0000
committer: lain <lain@soykaf.club> 2023-06-06 13:31:08 +0000
commit: 43458cb7a144f984d2d745e50b8a992c7482265c (patch)
tree: 68c0abfec2b0812370e82a2c7b7c1eecfd9d973a
parent: e8d35256653d196fd7c0daba8673a74dfe40a8e8 (diff)
parent: 40d40d67a3cee4d57f9200d0980df1b21d08a834 (diff)
2 files changed, 3 insertions, 2 deletions
diff --git a/changelog.d/3901.security b/changelog.d/3901.security
new file mode 100644
index 000000000..a3d8bd01f
--- /dev/null
+++ b/changelog.d/3901.security
@@ -0,0 +1 @@
+Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
diff --git a/lib/pleroma/web/preload.ex b/lib/pleroma/web/preload.ex
index 4485383f9..6a4a8885e 100644
--- a/lib/pleroma/web/preload.ex
+++ b/lib/pleroma/web/preload.ex
@@ -11,7 +11,7 @@ defmodule Pleroma.Web.Preload do
         terms =
           params
           |> parser.generate_terms()
-          |> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v))} end)
+          |> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v, escape: :html_safe))} end)
           |> Enum.into(%{})
 
         Map.merge(acc, terms)
@@ -19,7 +19,7 @@ defmodule Pleroma.Web.Preload do
 
     rendered_html =
       preload_data
-      |> Jason.encode!()
+      |> Jason.encode!(escape: :html_safe)
       |> build_script_tag()
       |> HTML.safe_to_string()
author	lain <lain@soykaf.club>	2023-06-06 13:31:08 +0000
committer	lain <lain@soykaf.club>	2023-06-06 13:31:08 +0000
commit	43458cb7a144f984d2d745e50b8a992c7482265c (patch)
tree	68c0abfec2b0812370e82a2c7b7c1eecfd9d973a
parent	e8d35256653d196fd7c0daba8673a74dfe40a8e8 (diff)
parent	40d40d67a3cee4d57f9200d0980df1b21d08a834 (diff)