sanitize/strip any incoming html

1 files changed, 12 insertions, 8 deletions

diff --git a/cgi/servers.go b/cgi/servers.go
index b014fdb..1f15227 100644
--- a/cgi/servers.go
+++ b/cgi/servers.go
@@ -20,6 +20,7 @@ import (
 	"git.capotej.com/capotej/communique/models"
 	"git.capotej.com/capotej/communique/urls"
 	"git.capotej.com/capotej/communique/views"
+	"github.com/microcosm-cc/bluemonday"
 	"github.com/mmcdole/gofeed"
 	"go.uber.org/zap"
 )
@@ -28,10 +29,11 @@ type Servers struct {
 	log       *zap.SugaredLogger
 	persister *models.Persister
 	cfg       config.Config
+	policy    *bluemonday.Policy
 }
 
-func NewServers(log *zap.SugaredLogger, persister *models.Persister, cfg config.Config) *Servers {
-	return &Servers{log: log, persister: persister, cfg: cfg}
+func NewServers(log *zap.SugaredLogger, persister *models.Persister, cfg config.Config, policy *bluemonday.Policy) *Servers {
+	return &Servers{log: log, persister: persister, cfg: cfg, policy: policy}
 }
 
 // Start iterates over all Handlers and starts an internal CGI server for each one
@@ -57,14 +59,14 @@ func (s *Servers) Start() {
 		// Ticker
 		go func(aHandler config.Handler) {
 			defer wg.Done()
-			startTicker(aHandler, s.persister, handlerLogger, s.cfg, signed)
+			startTicker(aHandler, s.persister, handlerLogger, s.cfg, signed, s.policy)
 		}(handler)
 		// Execute a handler tick on start since Go's ticker waits until $interval to trigger first tick
 		go func(aHandler config.Handler) {
 			defer wg.Done()
 			time.Sleep(1 * time.Second)
 			output := tick(aHandler, handlerLogger)
-			err := processTick(aHandler, output, s.persister, handlerLogger, s.cfg, signed)
+			err := processTick(aHandler, output, s.persister, handlerLogger, s.cfg, signed, s.policy)
 			if err != nil {
 				s.log.Error(err)
 			}
@@ -91,7 +93,7 @@ func startCGIServer(h config.Handler, log *zap.SugaredLogger) {
 	server.Serve(unixListener)
 }
 
-func startTicker(h config.Handler, persister *models.Persister, log *zap.SugaredLogger, cfg config.Config, signed *delivery.Signed) {
+func startTicker(h config.Handler, persister *models.Persister, log *zap.SugaredLogger, cfg config.Config, signed *delivery.Signed, policy *bluemonday.Policy) {
 	ticker := time.NewTicker(h.Interval) // TODO add some random jitter here so handlers dont run at the same exact intervals
 	done := make(chan bool)
 	func() {
@@ -101,7 +103,7 @@ func startTicker(h config.Handler, persister *models.Persister, log *zap.Sugared
 				return
 			case _ = <-ticker.C:
 				output := tick(h, log)
-				err := processTick(h, output, persister, log, cfg, signed)
+				err := processTick(h, output, persister, log, cfg, signed, policy)
 				if err != nil {
 					log.Error(err)
 				}
@@ -110,7 +112,7 @@ func startTicker(h config.Handler, persister *models.Persister, log *zap.Sugared
 	}()
 }
 
-func processTick(h config.Handler, output []byte, persister *models.Persister, log *zap.SugaredLogger, cfg config.Config, signed *delivery.Signed) error {
+func processTick(h config.Handler, output []byte, persister *models.Persister, log *zap.SugaredLogger, cfg config.Config, signed *delivery.Signed, policy *bluemonday.Policy) error {
 	fp := gofeed.NewParser()
 	fp.ParseString(string(output))
 	feed, err := fp.ParseString(string(output))
@@ -126,8 +128,10 @@ func processTick(h config.Handler, output []byte, persister *models.Persister, l
 		} else if len(v.Description) != 0 {
 			extractedContent = v.Description
 		}
+
 		if len(extractedContent) != 0 {
-			log.Debugf("extracted content '%s'", extractedContent)
+			extractedContent := policy.Sanitize(extractedContent)
+			log.Debugf("extracted and sanitized content '%s'", extractedContent)
 			outboxItem := models.CreateOutboxItem(h, []byte(extractedContent))
 			err = persister.StoreWithCallback(outboxItem, func() {
 				logger := log.With("handler", h.Name).With("type", "subscription")