From 8d0d07a2995c914c454eac12407a95924bed5168 Mon Sep 17 00:00:00 2001 From: asonix Date: Wed, 27 Jan 2021 20:59:58 -0600 Subject: [PATCH] Server: render sanitized strings as plain html - Use source fields for text inputs --- server/src/comments/mod.rs | 4 ++-- server/src/main.rs | 2 +- server/src/profiles/state.rs | 4 ++-- server/src/submissions.rs | 5 +++-- server/templates/admin/comment_box.rs.html | 9 +++++++-- server/templates/admin/index.rs.html | 12 ++++++------ server/templates/admin/report.rs.html | 4 ++-- server/templates/admin/reporter.rs.html | 2 +- server/templates/admin/server_box.rs.html | 7 +++++-- server/templates/admin/submission_box.rs.html | 7 +++++-- server/templates/comments/nodes.rs.html | 5 ++++- server/templates/comments/profile_box.rs.html | 4 ++-- server/templates/comments/public.rs.html | 5 ++++- server/templates/comments/report.rs.html | 5 ++++- server/templates/layouts/root.rs.html | 2 +- server/templates/notifications/index.rs.html | 4 ++-- server/templates/profiles/discover.rs.html | 2 +- server/templates/profiles/list.rs.html | 2 +- server/templates/submissions/profile_box.rs.html | 2 +- server/templates/submissions/public.rs.html | 7 +++++-- server/templates/submissions/report.rs.html | 2 +- 21 files changed, 60 insertions(+), 36 deletions(-) diff --git a/server/src/comments/mod.rs b/server/src/comments/mod.rs index 4265d99..066433d 100644 --- a/server/src/comments/mod.rs +++ b/server/src/comments/mod.rs @@ -430,7 +430,7 @@ async fn edit_page( return Ok(crate::to_404()); } - let body = comment.body().to_owned(); + let body = comment.body_source().unwrap_or(comment.body()).to_owned(); let view = match prepare_view(comment, Some(&profile), &nav_state, &state).await? { Some(v) => v.value(&body), None => return Ok(crate::to_404()), @@ -490,7 +490,7 @@ async fn update_comment( } }; - let body = comment.body().to_owned(); + let body = comment.body_source().unwrap_or(comment.body()).to_owned(); let view = match prepare_view(comment, Some(&profile), &nav_state, &state).await? { Some(v) => v.value(&body).error_opt(Some(error)), None => return Ok(crate::to_404()), diff --git a/server/src/main.rs b/server/src/main.rs index a89987b..5ad6670 100644 --- a/server/src/main.rs +++ b/server/src/main.rs @@ -47,7 +47,7 @@ async fn main() -> anyhow::Result<()> { if std::env::var("RUST_LOG").is_err() { if config.debug { - std::env::set_var("RUST_LOG", "hyaenidae_profiles=debug,hyaenidae_accounts=debug,hyaenidae_toolkit=debug,hyaenidae_server=debug,info"); + std::env::set_var("RUST_LOG", "hyaenidae_content=debug,hyaenidae_profiles=debug,hyaenidae_accounts=debug,hyaenidae_toolkit=debug,hyaenidae_server=debug,info"); } else { std::env::set_var("RUST_LOG", "info"); } diff --git a/server/src/profiles/state.rs b/server/src/profiles/state.rs index 3a98b57..070d117 100644 --- a/server/src/profiles/state.rs +++ b/server/src/profiles/state.rs @@ -298,7 +298,7 @@ impl EditProfileState { .placeholder("Display Name") .dark(dark); - let input = if let Some(text) = &self.profile.display_name() { + let input = if let Some(text) = &self.profile.display_name_source() { input.value(text) } else { input @@ -324,7 +324,7 @@ impl EditProfileState { .textarea() .dark(dark); - let input = if let Some(text) = &self.profile.description_text() { + let input = if let Some(text) = &self.profile.description_source() { input.value(text) } else { input diff --git a/server/src/submissions.rs b/server/src/submissions.rs index 70bca2d..73fabde 100644 --- a/server/src/submissions.rs +++ b/server/src/submissions.rs @@ -277,9 +277,10 @@ pub struct SubmissionState { impl SubmissionState { async fn new(submission: Submission, dark: bool, state: &State) -> Result { - let title = title_input(dark).value(submission.title()); + let title = + title_input(dark).value(submission.title_source().unwrap_or(submission.title())); - let description = if let Some(text) = submission.description() { + let description = if let Some(text) = submission.description_source() { description_input(dark).value(text) } else { description_input(dark) diff --git a/server/templates/admin/comment_box.rs.html b/server/templates/admin/comment_box.rs.html index dfb8006..2e656b8 100644 --- a/server/templates/admin/comment_box.rs.html +++ b/server/templates/admin/comment_box.rs.html @@ -1,6 +1,7 @@ @use crate::extensions::ProfileExt; @use crate::views::OwnedProfileView; @use hyaenidae_profiles::store::Comment; +@use hyaenidae_toolkit::templates::bbcode; @use hyaenidae_toolkit::{templates::link, Link}; @use hyaenidae_toolkit::templates::icon; @use hyaenidae_toolkit::templates::ago; @@ -16,7 +17,7 @@ @if let Some(name) = view.profile.display_name() {
@:link(&Link::current_tab(&view.profile.view_path()).plain(true), { - @name + @Html(&name) })
} @@ -31,7 +32,11 @@ -
@comment.body()
+
+ @:bbcode({ + @Html(comment.body()) + }) +
diff --git a/server/templates/admin/index.rs.html b/server/templates/admin/index.rs.html index d6ffcec..4459d4c 100644 --- a/server/templates/admin/index.rs.html +++ b/server/templates/admin/index.rs.html @@ -36,7 +36,7 @@ reported @:link(&Link::new_tab(&profile.view_path()).plain(true), { - @profile.name() + @Html(profile.name()) }) }) } @@ -44,12 +44,12 @@ @:reporter(reports_view, report, { reported @:link(&Link::new_tab(&submission.author_path()).plain(true), { - @submission.author_name()'s + @Html(submission.author_name())'s }) submission: @:link(&Link::new_tab(&submission.view_path()).plain(true), { - @submission.title() + @Html(submission.title()) }) }) } @@ -57,12 +57,12 @@ @:reporter(reports_view, report, { reported @:link(&Link::new_tab(&comment.author_path()).plain(true), { - @comment.author_name()'s + @Html(comment.author_name())'s }) comment: @:link(&Link::new_tab(&comment.view_path()).plain(true), { - @comment.body() + @Html(comment.body()) }) }) } @@ -70,7 +70,7 @@ @if let Some(note) = report.note() {

Note:

-

@note

+

@Html(note)

}
diff --git a/server/templates/admin/report.rs.html b/server/templates/admin/report.rs.html index aaf3660..1efab5d 100644 --- a/server/templates/admin/report.rs.html +++ b/server/templates/admin/report.rs.html @@ -30,14 +30,14 @@ @:card_body({ Reported by @:link(&Link::new_tab(&author.view_path()).plain(true), { - @author.name() + @Html(author.name()) }) }) } @if let Some(note) = view.note() { @:card_body({

Report Content

-

@note

+

@Html(note)

}) } }) diff --git a/server/templates/admin/reporter.rs.html b/server/templates/admin/reporter.rs.html index 0116fd9..6276961 100644 --- a/server/templates/admin/reporter.rs.html +++ b/server/templates/admin/reporter.rs.html @@ -7,7 +7,7 @@
@if let Some(author) = view.reporter_profile(report) { @:link(&Link::new_tab(&author.view_path()).plain(true), { - @author.name() + @Html(author.name()) }) } diff --git a/server/templates/admin/server_box.rs.html b/server/templates/admin/server_box.rs.html index 114631a..9356b33 100644 --- a/server/templates/admin/server_box.rs.html +++ b/server/templates/admin/server_box.rs.html @@ -1,4 +1,5 @@ @use hyaenidae_profiles::store::Server; +@use hyaenidae_toolkit::templates::bbcode; @(server: &Server, body: Content) @@ -8,12 +9,14 @@ @server.domain() - @if let Some(title) = server.title() { - @title + @Html(title) }
@if let Some(description) = server.description() {
- @description + @:bbcode({ + @Html(description) + })
} @:body() diff --git a/server/templates/admin/submission_box.rs.html b/server/templates/admin/submission_box.rs.html index 3ec6599..fba99cb 100644 --- a/server/templates/admin/submission_box.rs.html +++ b/server/templates/admin/submission_box.rs.html @@ -1,5 +1,6 @@ @use crate::extensions::{SubmissionExt, ProfileExt}; @use crate::views::{OwnedProfileView, OwnedSubmissionView}; +@use hyaenidae_toolkit::templates::bbcode; @use hyaenidae_toolkit::templates::{card_body, card_section}; @use hyaenidae_toolkit::{templates::link, Link}; @use hyaenidae_toolkit::templates::icon; @@ -18,7 +19,7 @@ @if let Some(name) = pro_view.profile.display_name() {
@:link(&Link::current_tab(&pro_view.profile.view_path()).plain(true), { - @name + @Html(name) })
} @@ -38,7 +39,9 @@

@sub_view.submission.title_text()

@if let Some(description) = sub_view.submission.description_text() { -

@description

+ @:bbcode({ + @Html(description) + }) }
diff --git a/server/templates/comments/nodes.rs.html b/server/templates/comments/nodes.rs.html index 01fc11e..414738c 100644 --- a/server/templates/comments/nodes.rs.html +++ b/server/templates/comments/nodes.rs.html @@ -1,5 +1,6 @@ @use crate::comments::{Cache, CommentNode}; @use crate::templates::comments::{nodes, profile_box}; +@use hyaenidae_toolkit::templates::bbcode; @use hyaenidae_toolkit::templates::link; @use hyaenidae_toolkit::templates::{nested_children, nested_node}; @@ -29,7 +30,9 @@ } }, { - @comment.body() + @:bbcode({ + @Html(comment.body()) + }) }) }) } diff --git a/server/templates/comments/profile_box.rs.html b/server/templates/comments/profile_box.rs.html index 8d7cd1f..d2f1c50 100644 --- a/server/templates/comments/profile_box.rs.html +++ b/server/templates/comments/profile_box.rs.html @@ -17,7 +17,7 @@ @if let Some(name) = view.profile.display_name() {
@:link(&Link::current_tab(&view.profile.view_path()).plain(true), { - @name + @Html(name) })
} @@ -34,7 +34,7 @@ @if let Some(l) = parent.view_link(cache) { @if let Some(name) = parent.name(cache) { @:link(&l, { - Replying to @name + Replying to @Html(name) }) } } diff --git a/server/templates/comments/public.rs.html b/server/templates/comments/public.rs.html index 947c7ff..d019dcb 100644 --- a/server/templates/comments/public.rs.html +++ b/server/templates/comments/public.rs.html @@ -4,6 +4,7 @@ @use crate::templates::button_js; @use crate::templates::layouts::home; @use crate::templates::comments::{nodes, profile_box}; +@use hyaenidae_toolkit::templates::bbcode; @use hyaenidae_toolkit::{templates::button_group, Button}; @use hyaenidae_toolkit::{templates::{card, card_title, card_body}, Card}; @use hyaenidae_toolkit::templates::link; @@ -29,7 +30,9 @@ } }, {
- @comment.body() + @:bbcode({ + @Html(comment.body()) + })
}) diff --git a/server/templates/comments/report.rs.html b/server/templates/comments/report.rs.html index e3e8e90..7e97d3f 100644 --- a/server/templates/comments/report.rs.html +++ b/server/templates/comments/report.rs.html @@ -4,6 +4,7 @@ @use crate::templates::button_js; @use crate::templates::layouts::home; @use crate::templates::comments::profile_box; +@use hyaenidae_toolkit::templates::bbcode; @use hyaenidae_toolkit::{templates::button_group, Button}; @use hyaenidae_toolkit::{templates::{card, card_title, card_body}, Card}; @use hyaenidae_toolkit::templates::text_input; @@ -20,7 +21,9 @@
@:profile_box(&view.author(), view.comment.published(), &view.parent(), &view.cache, nav_state.dark(), {}, {
- @view.comment.body() + @:bbcode({ + @view.comment.body() + })
})
diff --git a/server/templates/layouts/root.rs.html b/server/templates/layouts/root.rs.html index 28583a9..eed95ee 100644 --- a/server/templates/layouts/root.rs.html +++ b/server/templates/layouts/root.rs.html @@ -9,7 +9,7 @@ - @title + @Html(title) diff --git a/server/templates/notifications/index.rs.html b/server/templates/notifications/index.rs.html index b2c5bcf..dc3ab0f 100644 --- a/server/templates/notifications/index.rs.html +++ b/server/templates/notifications/index.rs.html @@ -51,11 +51,11 @@ @for c in view.comments() { @:card_body({ @:link(&c.author_link(), { - @c.author_name() + @Html(c.author_name()) }) @if let Some(l) = c.submission_link() { commented on your submission: - @:link(&l, { @c.submission_title() }) + @:link(&l, { @Html(c.submission_title()) }) } @if let Some(l) = c.reply_to_link() { replied to your diff --git a/server/templates/profiles/discover.rs.html b/server/templates/profiles/discover.rs.html index eaa39fd..8a04d4b 100644 --- a/server/templates/profiles/discover.rs.html +++ b/server/templates/profiles/discover.rs.html @@ -33,7 +33,7 @@
@if let Some(display_name) = pview.profile.display_name() { @:link(&Link::current_tab(&pview.profile.view_path()).plain(true), { - @display_name + @Html(display_name) }) }
diff --git a/server/templates/profiles/list.rs.html b/server/templates/profiles/list.rs.html index 5daa862..7297fdf 100644 --- a/server/templates/profiles/list.rs.html +++ b/server/templates/profiles/list.rs.html @@ -28,7 +28,7 @@
@if let Some(display_name) = pview.profile.display_name() { @:link(&Link::current_tab(&pview.profile.view_path()).plain(true), { - @display_name + @Html(display_name) }) }
diff --git a/server/templates/submissions/profile_box.rs.html b/server/templates/submissions/profile_box.rs.html index 210781f..1a6f34f 100644 --- a/server/templates/submissions/profile_box.rs.html +++ b/server/templates/submissions/profile_box.rs.html @@ -15,7 +15,7 @@ @if let Some(name) = view.profile.display_name() {
@:link(&Link::current_tab(&view.profile.view_path()).plain(true), { - @name + @Html(name) })
} diff --git a/server/templates/submissions/public.rs.html b/server/templates/submissions/public.rs.html index 7eccd7c..f56c854 100644 --- a/server/templates/submissions/public.rs.html +++ b/server/templates/submissions/public.rs.html @@ -5,6 +5,7 @@ @use crate::templates::layouts::home; @use crate::templates::comments::nodes; @use crate::templates::submissions::profile_box; +@use hyaenidae_toolkit::templates::bbcode; @use hyaenidae_toolkit::{templates::button_group, Button}; @use hyaenidae_toolkit::{templates::{card, card_body, card_section, card_spacer, card_title}, Card}; @use hyaenidae_toolkit::templates::image; @@ -19,7 +20,7 @@ }, { @:card(&Card::full_width().dark(nav_state.dark()), { @:card_title({ - @view.submission.title_text() + @Html(view.submission.title_text()) }) @:card_section({ @if let Some(img) = view.image() { @@ -48,7 +49,9 @@ @:card_body({ @:profile_box(&view.poster(), view.submission.published(), nav_state.dark(), { @if let Some(description) = view.submission.description_text() { - @description + @:bbcode({ + @Html(description) + }) } }) }) diff --git a/server/templates/submissions/report.rs.html b/server/templates/submissions/report.rs.html index 776a2d6..40633a1 100644 --- a/server/templates/submissions/report.rs.html +++ b/server/templates/submissions/report.rs.html @@ -15,7 +15,7 @@ }, { @:card(&Card::full_width().dark(nav_state.dark()), { @:card_title({ - Report @view.submission.title() + Report @Html(view.submission.title()) }) @:submission_box(&view.submission(), &view.author(), nav_state.dark()) })