Merge branch 'preload-escaping' into 'develop' - pleroma - My custom branche(s) on git.pleroma.social/pleroma/pleroma

commit: 43458cb7a144f984d2d745e50b8a992c7482265c
parent e8d35256653d196fd7c0daba8673a74dfe40a8e8
Author: lain <lain@soykaf.club>
Date:   Tue,  6 Jun 2023 13:31:08 +0000

Merge branch 'preload-escaping' into 'develop'

B Preload: Make sure that the preloaded json is html safe

See merge request pleroma/pleroma!3901
Diffstat:
A changelog.d/3901.security 1 +
M lib/pleroma/web/preload.ex 4 ++--

2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/changelog.d/3901.security b/changelog.d/3901.security
@@ -0,0 +1 @@
+Preload: Make generated JSON html-safe. It already was html safe because it only consists of config data that is base64 encoded, but this will keep it safe it that ever changes.
diff --git a/lib/pleroma/web/preload.ex b/lib/pleroma/web/preload.ex
@@ -11,7 +11,7 @@ defmodule Pleroma.Web.Preload do
         terms =
           params
           |> parser.generate_terms()
-          |> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v))} end)
+          |> Enum.map(fn {k, v} -> {k, Base.encode64(Jason.encode!(v, escape: :html_safe))} end)
           |> Enum.into(%{})
 
         Map.merge(acc, terms)
@@ -19,7 +19,7 @@ defmodule Pleroma.Web.Preload do
 
     rendered_html =
       preload_data
-      |> Jason.encode!()
+      |> Jason.encode!(escape: :html_safe)
       |> build_script_tag()
       |> HTML.safe_to_string()

A	changelog.d/3901.security	1	+
M	lib/pleroma/web/preload.ex	4	++--