Quick fix to "Script self-injection in edit box".

In the 'Edit...' box, the sourceContent (which was written by a user)
has its < replaced with &lt; . This issue does not propagate to the
public timeline nor to the recipients of the post.

Reference: https://codeberg.org/grunfink/snac2/issues/53
This commit is contained in:
default 2023-06-16 09:25:32 +02:00
parent 57761020b7
commit 5be2239467

6
html.c
View file

@ -668,9 +668,11 @@ xs_str *html_entry_controls(snac *snac, xs_str *os, const xs_dict *msg, const ch
s = xs_str_cat(s, "</form>\n"); s = xs_str_cat(s, "</form>\n");
char *prev_src = xs_dict_get(msg, "sourceContent"); const char *prev_src1 = xs_dict_get(msg, "sourceContent");
if (!xs_is_null(prev_src1) && strcmp(actor, snac->actor) == 0) {
xs *prev_src = xs_replace(prev_src1, "<", "&lt;");
if (!xs_is_null(prev_src) && strcmp(actor, snac->actor) == 0) {
/* post can be edited */ /* post can be edited */
xs *s1 = xs_fmt( xs *s1 = xs_fmt(
"<p><details><summary>%s</summary>\n" "<p><details><summary>%s</summary>\n"