aljaz/njump
1
0
Fork 0
mirror of https://github.com/aljazceru/njump.git synced 2025-12-18 14:54:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

Sanitize html content

Browse Source
This commit is contained in:
Daniele Tonon
2023-05-25 21:05:58 +02:00
parent 41685aa8ea
commit f38571c8e9
3 changed files with 57 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
note.html
View File

@@ -4,47 +4,47 @@
<head> <head>
{{if eq .type "profile"}} {{if eq .type "profile"}}
<title>Nostr Public Key {{.npub}}</title> <title>Nostr Public Key {{.npub}}</title>
<meta property="og:site_name" content="{{.npub}}" /> <meta property="og:site_name" content="{{.npub | SanitizeString}}" />
<meta property="og:title" content="{{.title}}" /> <meta property="og:title" content="{{.title | SanitizeString}}" />
{{ if .metadata.Picture }} {{ if .metadata.Picture }}
<meta property="og:image" content="{{.metadata.Picture}}" /> <meta property="og:image" content="{{.metadata.Picture | SanitizeString}}" />
<meta property="twitter:image" content="{{.proxy}}{{.metadata.Picture}}" /> <meta property="twitter:image" content="{{.proxy}}{{.metadata.Picture | SanitizeString}}" />
{{end}} {{ if .metadata.About }} {{end}} {{ if .metadata.About }}
<meta property="og:description" content="{{.metadata.About}}" /> <meta property="og:description" content="{{.metadata.About | SanitizeString}}" />
{{end}} {{end}}
<meta property="twitter:card" content="summary" /> <meta property="twitter:card" content="summary" />
{{end}} {{end}}
<!-----------> <!----------->
{{ if eq .type "event" }} {{ if eq .type "event" }}
<title>Nostr Event {{.nevent}}</title> <title>Nostr Event {{.nevent}}</title>
<meta property="og:site_name" content="{{.authorLong}}" /> <meta property="og:site_name" content="{{.authorLong | SanitizeString}}" />
<meta property="og:title" content="{{.title}}" /> <meta property="og:title" content="{{.title | SanitizeString}}" />
<meta name="twitter:title" content="{{.twitterTitle}}" /> <meta name="twitter:title" content="{{.twitterTitle | SanitizeString}}" />
<!----> <!---->
{{ if .textImageURL }} {{ if .textImageURL }}
<meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:site" content="@nostrprotocol" /> <meta name="twitter:site" content="@nostrprotocol" />
<meta property="og:image" content="{{.textImageURL}}" /> <meta property="og:image" content="{{.textImageURL | SanitizeString}}" />
<meta name="twitter:image" content="{{.textImageURL}}" /> <meta name="twitter:image" content="{{.textImageURL | SanitizeString}}" />
{{ else }} {{ else }}
<!----> <!---->
<meta property="twitter:card" content="summary" /> <meta property="twitter:card" content="summary" />
{{ if .image }} {{ if .image }}
<meta property="og:image" content="{{.image}}" /> <meta property="og:image" content="{{.image | SanitizeString}}" />
<meta name="twitter:image" content="{{.proxy}}{{.image}}" /> <meta name="twitter:image" content="{{.proxy}}{{.image | SanitizeString}}" />
{{end}} {{ if .video }} {{end}} {{ if .video }}
<meta property="og:video" content="{{.video}}" /> <meta property="og:video" content="{{.video | SanitizeString}}" />
<meta property="og:video:secure_url" content="{{.video}}" /> <meta property="og:video:secure_url" content="{{.video | SanitizeString}}" />
<meta property="og:video:type" content="video/{{.videoType}}" /> <meta property="og:video:type" content="video/{{.videoType | SanitizeString}}" />
{{end}} {{end}}
<!----> <!---->
{{end}} {{end}}
<meta property="og:description" content="{{.description}}" /> <meta property="og:description" content="{{.description | SanitizeString}}" />
<meta name="twitter:description" content="{{.description}}" /> <meta name="twitter:description" content="{{.description | SanitizeString}}" />
{{end}} {{end}}
<!-----------> <!----------->
{{ if eq .type "address" }} {{ if eq .type "address" }}
<title>Nostr Address {{.naddr}}</title> <title>Nostr Address {{.naddr | SanitizeString}}</title>
{{end}} {{end}}
<!-----------> <!----------->
@@ -65,23 +65,23 @@
<div class="profile_intro"> <div class="profile_intro">
<div class="pic-wrapper"> <div class="pic-wrapper">
<a href="/{{.npub}}"><img class="pic" src="{{ .metadata.Picture }}" /></a> <a href="/{{.npub | SanitizeString}}"><img class="pic" src="{{.metadata.Picture | SanitizeString}}" /></a>
</div> </div>
<div class="info-wrapper"> <div class="info-wrapper">
<div class="name"> <div class="name">
{{.metadata.Name}} <span class="display">{{.metadata.DisplayName}}</span> {{.metadata.Name | SanitizeString}} <span class="display">{{.metadata.DisplayName | SanitizeString}}</span>
</div> </div>
<div class="npub">{{.npubShort}}</div> <div class="npub">{{.npubShort | SanitizeString}}</div>
</div> </div>
<div class="published_at"> <div class="published_at">
{{.createdAt}} {{.createdAt | SanitizeString}}
</div> </div>
</div> </div>
<div class="field separator"></div> <div class="field separator"></div>
<div class="field content"> <div class="field content">
{{.description | BasicFormatting }} {{.description | SanitizeString | BasicFormatting }}
</div> </div>
<div class="field separator"></div> <div class="field separator"></div>
@@ -93,12 +93,12 @@
<div class="field"> <div class="field">
<div class="label">Nevent</div> <div class="label">Nevent</div>
<div>{{.nevent}}</div> <div>{{.nevent | SanitizeString}}</div>
</div> </div>
<div class="field last_update"> <div class="field last_update">
Last update:<br/> Last update:<br/>
{{.createdAt}} {{.createdAt | SanitizeString}}
</div> </div>
<div class="field advanced-switch-wrapper"> <div class="field advanced-switch-wrapper">
@@ -109,7 +109,7 @@
<div class="field advanced"> <div class="field advanced">
<div class="label">Event JSON</div> <div class="label">Event JSON</div>
<div class="json">{{.eventJSON}}</div> <div class="json">{{.eventJSON | SanitizeString}}</div>
</div> </div>
<div class="field separator"></div> <div class="field separator"></div>
</div> </div>

58
profile.html
View File

@@ -4,47 +4,47 @@
<head> <head>
{{if eq .type "profile"}} {{if eq .type "profile"}}
<title>Nostr Public Key {{.npub}}</title> <title>Nostr Public Key {{.npub}}</title>
<meta property="og:site_name" content="{{.npub}}" /> <meta property="og:site_name" content="{{.npub | SanitizeString}}" />
<meta property="og:title" content="{{.title}}" /> <meta property="og:title" content="{{.title | SanitizeString}}" />
{{ if .metadata.Picture }} {{ if .metadata.Picture }}
<meta property="og:image" content="{{.metadata.Picture}}" /> <meta property="og:image" content="{{.metadata.Picture | SanitizeString}}" />
<meta property="twitter:image" content="{{.proxy}}{{.metadata.Picture}}" /> <meta property="twitter:image" content="{{.proxy}}{{.metadata.Picture | SanitizeString}}" />
{{end}} {{ if .metadata.About }} {{end}} {{ if .metadata.About }}
<meta property="og:description" content="{{.metadata.About}}" /> <meta property="og:description" content="{{.metadata.About | SanitizeString}}" />
{{end}} {{end}}
<meta property="twitter:card" content="summary" /> <meta property="twitter:card" content="summary" />
{{end}} {{end}}
<!-----------> <!----------->
{{ if eq .type "event" }} {{ if eq .type "event" }}
<title>Nostr Event {{.nevent}}</title> <title>Nostr Event {{.nevent}}</title>
<meta property="og:site_name" content="{{.authorLong}}" /> <meta property="og:site_name" content="{{.authorLong | SanitizeString}}" />
<meta property="og:title" content="{{.title}}" /> <meta property="og:title" content="{{.title | SanitizeString}}" />
<meta name="twitter:title" content="{{.twitterTitle}}" /> <meta name="twitter:title" content="{{.twitterTitle | SanitizeString}}" />
<!----> <!---->
{{ if .textImageURL }} {{ if .textImageURL }}
<meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:site" content="@nostrprotocol" /> <meta name="twitter:site" content="@nostrprotocol" />
<meta property="og:image" content="{{.textImageURL}}" /> <meta property="og:image" content="{{.textImageURL | SanitizeString}}" />
<meta name="twitter:image" content="{{.textImageURL}}" /> <meta name="twitter:image" content="{{.textImageURL | SanitizeString}}" />
{{ else }} {{ else }}
<!----> <!---->
<meta property="twitter:card" content="summary" /> <meta property="twitter:card" content="summary" />
{{ if .image }} {{ if .image }}
<meta property="og:image" content="{{.image}}" /> <meta property="og:image" content="{{.image | SanitizeString}}" />
<meta name="twitter:image" content="{{.proxy}}{{.image}}" /> <meta name="twitter:image" content="{{.proxy}}{{.image | SanitizeString}}" />
{{end}} {{ if .video }} {{end}} {{ if .video }}
<meta property="og:video" content="{{.video}}" /> <meta property="og:video" content="{{.video | SanitizeString}}" />
<meta property="og:video:secure_url" content="{{.video}}" /> <meta property="og:video:secure_url" content="{{.video | SanitizeString}}" />
<meta property="og:video:type" content="video/{{.videoType}}" /> <meta property="og:video:type" content="video/{{.videoType | SanitizeString}}" />
{{end}} {{end}}
<!----> <!---->
{{end}} {{end}}
<meta property="og:description" content="{{.description}}" /> <meta property="og:description" content="{{.description | SanitizeString}}" />
<meta name="twitter:description" content="{{.description}}" /> <meta name="twitter:description" content="{{.description | SanitizeString}}" />
{{end}} {{end}}
<!-----------> <!----------->
{{ if eq .type "address" }} {{ if eq .type "address" }}
<title>Nostr Address {{.naddr}}</title> <title>Nostr Address {{.naddr | SanitizeString }}</title>
{{end}} {{end}}
<!-----------> <!----------->
@@ -63,52 +63,52 @@
<div class="column columnA"> <div class="column columnA">
<div class="info-wrapper"> <div class="info-wrapper">
{{.metadata.Name}} <span class="display">{{.metadata.DisplayName}}</span> {{.metadata.Name | SanitizeString}} <span class="display">{{.metadata.DisplayName | SanitizeString}}</span>
</div> </div>
<div class="pic-wrapper"> <div class="pic-wrapper">
<img class="pic" src="{{ .metadata.Picture }}" /> <img class="pic" src="{{.metadata.Picture | SanitizeString}}" />
</div> </div>
<div class="last_update"> <div class="last_update">
Last update:<br/> Last update:<br/>
{{.createdAt}} {{.createdAt | SanitizeString}}
</div> </div>
</div> </div>
<div class="column column_content"> <div class="column column_content">
<div class="field info-wrapper"> <div class="field info-wrapper">
<div class="name"> <div class="name">
{{.metadata.Name}} <span class="display">{{.metadata.DisplayName}}</span> {{.metadata.Name | SanitizeString}} <span class="display">{{.metadata.DisplayName | SanitizeString}}</span>
</div> </div>
</div> </div>
<div class="field separator long"></div> <div class="field separator long"></div>
<div class="field"> <div class="field">
<a href="{{.metadata.Website}}">{{.metadata.Website}}</a> <a href="{{.metadata.Website | SanitizeString}}">{{.metadata.Website | SanitizeString}}</a>
</div> </div>
<div class="field"> <div class="field">
{{.metadata.About}} {{.metadata.About | SanitizeString}}
</div> </div>
<div class="field separator"></div> <div class="field separator"></div>
<div class="field"> <div class="field">
<div class="label">Public key</div> <div class="label">Public key</div>
{{.npub}} {{.npub | SanitizeString}}
</div> </div>
<div class="field"> <div class="field">
<div class="label">NIP-05</div> <div class="label">NIP-05</div>
{{.metadata.NIP05}} {{.metadata.NIP05 | SanitizeString}}
</div> </div>
<div class="field"> <div class="field">
<div class="label">LN Address</div> <div class="label">LN Address</div>
{{.metadata.LUD16}} {{.metadata.LUD16 | SanitizeString}}
</div> </div>
<div class="field"> <div class="field">
<div class="label">Metadata Event</div> <div class="label">Metadata Event</div>
<div>{{.nevent}}</div> <div>{{.nevent | SanitizeString}}</div>
</div> </div>
<div class="field last_update"> <div class="field last_update">
Last update:<br/> Last update:<br/>
{{.createdAt}} {{.createdAt | SanitizeString}}
</div> </div>
<div class="field advanced-switch-wrapper"> <div class="field advanced-switch-wrapper">

5
render.go
View File

@@ -4,6 +4,7 @@ import (
_ "embed" _ "embed"
"encoding/json" "encoding/json"
"fmt" "fmt"
"html"
"net/http" "net/http"
"regexp" "regexp"
"strings" "strings"
@@ -161,9 +162,6 @@ func render(w http.ResponseWriter, r *http.Request) {
eventJSON, _ := json.MarshalIndent(event, "", " ") eventJSON, _ := json.MarshalIndent(event, "", " ")
// TODO: Sanitize content
description += "\n<script>alert('TODO: Sanitize the content!')</script>"
params := map[string]any{ params := map[string]any{
"createdAt": createdAt, "createdAt": createdAt,
"clients": generateClientList(code, event), "clients": generateClientList(code, event),
@@ -192,6 +190,7 @@ func render(w http.ResponseWriter, r *http.Request) {
var funcMap = template.FuncMap{ var funcMap = template.FuncMap{
"BasicFormatting": BasicFormatting, "BasicFormatting": BasicFormatting,
"SanitizeString": html.EscapeString,
} }
var tmpl = template.Must(template.New("event").Funcs(funcMap).Parse(templates[typ])) var tmpl = template.Must(template.New("event").Funcs(funcMap).Parse(templates[typ]))