Merge branch 'preload-escaping' into 'develop'
B Preload: Make sure that the preloaded json is html safe See merge request pleroma/pleroma!3901
This commit is contained in:
commit
43458cb7a1
2 changed files with 3 additions and 2 deletions
1
changelog.d/3901.security
Normal file
1
changelog.d/3901.security
Normal file
|
@ -0,0 +1 @@
|
|||
Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
|
|
@ -11,7 +11,7 @@ defmodule Pleroma.Web.Preload do
|
|||
terms =
|
||||
params
|
||||
|> parser.generate_terms()
|
||||
|> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v))} end)
|
||||
|> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v, escape: :html_safe))} end)
|
||||
|> Enum.into(%{})
|
||||
|
||||
Map.merge(acc, terms)
|
||||
|
@ -19,7 +19,7 @@ defmodule Pleroma.Web.Preload do
|
|||
|
||||
rendered_html =
|
||||
preload_data
|
||||
|> Jason.encode!()
|
||||
|> Jason.encode!(escape: :html_safe)
|
||||
|> build_script_tag()
|
||||
|> HTML.safe_to_string()
|
||||
|
||||
|
|
Loading…
Reference in a new issue