From af05fbea27df62c96b411a941cf5bb612f256e9d Mon Sep 17 00:00:00 2001 From: Julio Capote Date: Fri, 6 Jan 2023 21:43:11 -0500 Subject: sanitize/strip any incoming html --- cgi/servers.go | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'cgi/servers.go') diff --git a/cgi/servers.go b/cgi/servers.go index b014fdb..1f15227 100644 --- a/cgi/servers.go +++ b/cgi/servers.go @@ -20,6 +20,7 @@ import ( "git.capotej.com/capotej/communique/models" "git.capotej.com/capotej/communique/urls" "git.capotej.com/capotej/communique/views" + "github.com/microcosm-cc/bluemonday" "github.com/mmcdole/gofeed" "go.uber.org/zap" ) @@ -28,10 +29,11 @@ type Servers struct { log *zap.SugaredLogger persister *models.Persister cfg config.Config + policy *bluemonday.Policy } -func NewServers(log *zap.SugaredLogger, persister *models.Persister, cfg config.Config) *Servers { - return &Servers{log: log, persister: persister, cfg: cfg} +func NewServers(log *zap.SugaredLogger, persister *models.Persister, cfg config.Config, policy *bluemonday.Policy) *Servers { + return &Servers{log: log, persister: persister, cfg: cfg, policy: policy} } // Start iterates over all Handlers and starts an internal CGI server for each one @@ -57,14 +59,14 @@ func (s *Servers) Start() { // Ticker go func(aHandler config.Handler) { defer wg.Done() - startTicker(aHandler, s.persister, handlerLogger, s.cfg, signed) + startTicker(aHandler, s.persister, handlerLogger, s.cfg, signed, s.policy) }(handler) // Execute a handler tick on start since Go's ticker waits until $interval to trigger first tick go func(aHandler config.Handler) { defer wg.Done() time.Sleep(1 * time.Second) output := tick(aHandler, handlerLogger) - err := processTick(aHandler, output, s.persister, handlerLogger, s.cfg, signed) + err := processTick(aHandler, output, s.persister, handlerLogger, s.cfg, signed, s.policy) if err != nil { s.log.Error(err) } @@ -91,7 +93,7 @@ func startCGIServer(h config.Handler, log *zap.SugaredLogger) { server.Serve(unixListener) } -func startTicker(h config.Handler, persister *models.Persister, log *zap.SugaredLogger, cfg config.Config, signed *delivery.Signed) { +func startTicker(h config.Handler, persister *models.Persister, log *zap.SugaredLogger, cfg config.Config, signed *delivery.Signed, policy *bluemonday.Policy) { ticker := time.NewTicker(h.Interval) // TODO add some random jitter here so handlers dont run at the same exact intervals done := make(chan bool) func() { @@ -101,7 +103,7 @@ func startTicker(h config.Handler, persister *models.Persister, log *zap.Sugared return case _ = <-ticker.C: output := tick(h, log) - err := processTick(h, output, persister, log, cfg, signed) + err := processTick(h, output, persister, log, cfg, signed, policy) if err != nil { log.Error(err) } @@ -110,7 +112,7 @@ func startTicker(h config.Handler, persister *models.Persister, log *zap.Sugared }() } -func processTick(h config.Handler, output []byte, persister *models.Persister, log *zap.SugaredLogger, cfg config.Config, signed *delivery.Signed) error { +func processTick(h config.Handler, output []byte, persister *models.Persister, log *zap.SugaredLogger, cfg config.Config, signed *delivery.Signed, policy *bluemonday.Policy) error { fp := gofeed.NewParser() fp.ParseString(string(output)) feed, err := fp.ParseString(string(output)) @@ -126,8 +128,10 @@ func processTick(h config.Handler, output []byte, persister *models.Persister, l } else if len(v.Description) != 0 { extractedContent = v.Description } + if len(extractedContent) != 0 { - log.Debugf("extracted content '%s'", extractedContent) + extractedContent := policy.Sanitize(extractedContent) + log.Debugf("extracted and sanitized content '%s'", extractedContent) outboxItem := models.CreateOutboxItem(h, []byte(extractedContent)) err = persister.StoreWithCallback(outboxItem, func() { logger := log.With("handler", h.Name).With("type", "subscription") -- cgit v1.2.3