[bugfix] Use custom bluemonday policy to disallow inline img tags (#2100)

author: tobi <31960611+tsmethurst@users.noreply.github.com> 2023-08-11 14:40:11 +0200
committer: GitHub <noreply@github.com> 2023-08-11 14:40:11 +0200
commit: dc96562b4084e058846aea9102ef0257461717d6 (patch)
tree: a0b4bdbaa266386c7fdbbc02ca3e62bae559bf17 /internal/processing/instance.go
parent: [feature] Set Content-Security-Policy header (#2095) (diff)
download: gotosocial-dc96562b4084e058846aea9102ef0257461717d6.tar.xz
1 files changed, 4 insertions, 4 deletions
diff --git a/internal/processing/instance.go b/internal/processing/instance.go
index ac63814cd..edcfe5418 100644
--- a/internal/processing/instance.go
+++ b/internal/processing/instance.go
@@ -159,7 +159,7 @@ func (p *Processor) InstancePatch(ctx context.Context, form *apimodel.InstanceSe
 			return nil, gtserror.NewErrorBadRequest(err, fmt.Sprintf("site title invalid: %s", err))
 		}
 		updatingColumns = append(updatingColumns, "title")
-		instance.Title = text.SanitizePlaintext(*form.Title) // don't allow html in site title
+		instance.Title = text.SanitizeToPlaintext(*form.Title) // don't allow html in site title
 	}
 
 	// validate & update site contact account if it's set on the form
@@ -215,7 +215,7 @@ func (p *Processor) InstancePatch(ctx context.Context, form *apimodel.InstanceSe
 			return nil, gtserror.NewErrorBadRequest(err, err.Error())
 		}
 		updatingColumns = append(updatingColumns, "short_description")
-		instance.ShortDescription = text.SanitizeHTML(*form.ShortDescription) // html is OK in site description, but we should sanitize it
+		instance.ShortDescription = text.SanitizeToHTML(*form.ShortDescription) // html is OK in site description, but we should sanitize it
 	}
 
 	// validate & update site description if it's set on the form
@@ -224,7 +224,7 @@ func (p *Processor) InstancePatch(ctx context.Context, form *apimodel.InstanceSe
 			return nil, gtserror.NewErrorBadRequest(err, err.Error())
 		}
 		updatingColumns = append(updatingColumns, "description")
-		instance.Description = text.SanitizeHTML(*form.Description) // html is OK in site description, but we should sanitize it
+		instance.Description = text.SanitizeToHTML(*form.Description) // html is OK in site description, but we should sanitize it
 	}
 
 	// validate & update site terms if it's set on the form
@@ -233,7 +233,7 @@ func (p *Processor) InstancePatch(ctx context.Context, form *apimodel.InstanceSe
 			return nil, gtserror.NewErrorBadRequest(err, err.Error())
 		}
 		updatingColumns = append(updatingColumns, "terms")
-		instance.Terms = text.SanitizeHTML(*form.Terms) // html is OK in site terms, but we should sanitize it
+		instance.Terms = text.SanitizeToHTML(*form.Terms) // html is OK in site terms, but we should sanitize it
 	}
 
 	var updateInstanceAccount bool
author	tobi <31960611+tsmethurst@users.noreply.github.com>	2023-08-11 14:40:11 +0200
committer	GitHub <noreply@github.com>	2023-08-11 14:40:11 +0200
commit	dc96562b4084e058846aea9102ef0257461717d6 (patch)
tree	a0b4bdbaa266386c7fdbbc02ca3e62bae559bf17 /internal/processing/instance.go
parent	[feature] Set Content-Security-Policy header (#2095) (diff)
download	gotosocial-dc96562b4084e058846aea9102ef0257461717d6.tar.xz