From c84384e6608368a13a774d6d33a8cc32da7cf209 Mon Sep 17 00:00:00 2001
From: tobi <31960611+tsmethurst@users.noreply.github.com>
Date: Tue, 19 Jul 2022 15:21:17 +0200
Subject: [bugfix] html escape special characters in text instead of totally
 removing them (#719)

* remove minify dependency

* tidy up some tests

* remove pre + postformat funcs

* rework sanitization + formatting

* update tests

* add some more markdown tests
---
 internal/text/plain.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'internal/text/plain.go')

diff --git a/internal/text/plain.go b/internal/text/plain.go
index bc10d1b67..3daea5686 100644
--- a/internal/text/plain.go
+++ b/internal/text/plain.go
@@ -20,6 +20,7 @@ package text
 
 import (
 	"context"
+	"html"
 	"strings"
 
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
@@ -32,10 +33,11 @@ var breakReplacer = strings.NewReplacer(
 )
 
 func (f *formatter) FromPlain(ctx context.Context, plain string, mentions []*gtsmodel.Mention, tags []*gtsmodel.Tag) string {
-	content := preformat(plain)
+	// trim any crap
+	content := strings.TrimSpace(plain)
 
-	// sanitize any html elements
-	content = removeHTML(content)
+	// clean 'er up
+	content = html.EscapeString(content)
 
 	// format links nicely
 	content = f.ReplaceLinks(ctx, content)
@@ -52,5 +54,5 @@ func (f *formatter) FromPlain(ctx context.Context, plain string, mentions []*gts
 	// wrap the whole thing in a pee
 	content = `<p>` + content + `</p>`
 
-	return postformat(content)
+	return SanitizeHTML(content)
 }
-- 
cgit v1.2.3