From bdba3ff9a9f98c1605c01c0e84f6bd6ed5c3efae Mon Sep 17 00:00:00 2001
From: Tobi Smethurst <31960611+tsmethurst@users.noreply.github.com>
Date: Tue, 13 Jul 2021 16:03:51 +0200
Subject: sanitize html for statuses + instance (#97)

* sanitize html for statuses + instance

* sanitization
---
 internal/processing/account/update.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'internal/processing/account/update.go')

diff --git a/internal/processing/account/update.go b/internal/processing/account/update.go
index 830fec60a..fbe29ac86 100644
--- a/internal/processing/account/update.go
+++ b/internal/processing/account/update.go
@@ -50,7 +50,8 @@ func (p *processor) Update(account *gtsmodel.Account, form *apimodel.UpdateCrede
 		if err := util.ValidateDisplayName(*form.DisplayName); err != nil {
 			return nil, err
 		}
-		if err := p.db.UpdateOneByID(account.ID, "display_name", *form.DisplayName, &gtsmodel.Account{}); err != nil {
+		displayName := util.RemoveHTML(*form.DisplayName) // no html allowed in display name
+		if err := p.db.UpdateOneByID(account.ID, "display_name", displayName, &gtsmodel.Account{}); err != nil {
 			return nil, err
 		}
 	}
@@ -59,7 +60,8 @@ func (p *processor) Update(account *gtsmodel.Account, form *apimodel.UpdateCrede
 		if err := util.ValidateNote(*form.Note); err != nil {
 			return nil, err
 		}
-		if err := p.db.UpdateOneByID(account.ID, "note", *form.Note, &gtsmodel.Account{}); err != nil {
+		note := util.SanitizeHTML(*form.Note) // html OK in note but sanitize it
+		if err := p.db.UpdateOneByID(account.ID, "note", note, &gtsmodel.Account{}); err != nil {
 			return nil, err
 		}
 	}
-- 
cgit v1.2.3