Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-28 17:46:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: strip html from remote custom fields, linkify if url detected in now-plaintext field value

Browse Source
This commit is contained in:
Julian Lam
2024-11-25 14:22:19 -05:00
parent 1bebb82b03
commit 065f84b6e2
2 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/activitypub/mocks.js
View File

@@ -72,7 +72,11 @@ Mocks.profile = async (actors, hostMap) => {
const customFields = actor.attachment && Array.isArray(actor.attachment) && actor.attachment.length ?
actor.attachment
.filter(attachment => attachment.type === 'PropertyValue')
.reduce((map, { name, value }) => map.set(name, value), new Map()) :
.reduce((map, { name, value }) => {
// Strip html from received values (for security)
value = utils.stripHTMLTags(value);
return map.set(name, value);
}, new Map()) :
undefined;
const payload = {

3
src/controllers/accounts/helpers.js
View File

@@ -151,11 +151,12 @@ helpers.getCustomUserFields = async function (userData) {
const fields = Array
.from(new URLSearchParams(customFields))
.reduce((memo, [name, value]) => {
const isUrl = validator.isURL(value);
memo.push({
key: slugify(name),
name,
value,
type: 'input-text',
type: isUrl ? 'input-link' : 'input-text',
'min-rep': '',
icon: 'fa-solid fa-circle-info',
});