From c8999a116ef71bef2cb28a783e4ba3d8e3cea6fa Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Thu, 24 Mar 2016 12:40:55 +0100 Subject: [PATCH] Sanitize remote html in atom feeds, API (not just UI), use cached mention relations on Status#mentions --- app/helpers/application_helper.rb | 8 ++++++++ app/helpers/atom_builder_helper.rb | 8 +------- app/helpers/stream_entries_helper.rb | 8 -------- app/models/status.rb | 21 +++++++-------------- app/views/api/statuses/show.rabl | 2 +- spec/models/status_spec.rb | 2 +- 6 files changed, 18 insertions(+), 31 deletions(-) diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index dad7ed349..04eec89df 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -12,6 +12,14 @@ module ApplicationHelper id.start_with?("tag:#{Rails.configuration.x.local_domain}") end + def content_for_status(actual_status) + if actual_status.local? + linkify(actual_status) + else + sanitize(actual_status.content, tags: %w(a br p), attributes: %w(href rel)) + end + end + def linkify(status) mention_hash = {} status.mentions.each { |m| mention_hash[m.acct] = m } diff --git a/app/helpers/atom_builder_helper.rb b/app/helpers/atom_builder_helper.rb index 74c87daaa..51ab4da16 100644 --- a/app/helpers/atom_builder_helper.rb +++ b/app/helpers/atom_builder_helper.rb @@ -137,13 +137,7 @@ module AtomBuilderHelper def conditionally_formatted(activity) if activity.is_a?(Status) - if activity.reblog? && activity.reblog.local? - linkify(activity.reblog) - elsif !activity.reblog? && activity.local? - linkify(activity) - else - activity.content - end + content_for_status(activity.reblog? ? activity.reblog : activity) elsif activity.nil? nil else diff --git a/app/helpers/stream_entries_helper.rb b/app/helpers/stream_entries_helper.rb index 28fc41ed5..b044e8a61 100644 --- a/app/helpers/stream_entries_helper.rb +++ b/app/helpers/stream_entries_helper.rb @@ -27,12 +27,4 @@ module StreamEntriesHelper def favourited_by_me_class(status) user_signed_in? && current_user.account.favourited?(status) ? 'favourited' : '' end - - def content_for_status(actual_status) - if actual_status.local? - linkify(actual_status) - else - sanitize(actual_status.content, tags: %w(a br p), attributes: %w(href rel)) - end - end end diff --git a/app/models/status.rb b/app/models/status.rb index 2462d6b7d..b1965f176 100644 --- a/app/models/status.rb +++ b/app/models/status.rb @@ -60,22 +60,15 @@ class Status < ActiveRecord::Base end def mentions - m = [] - - m << thread.account if reply? - m << reblog.account if reblog? - - unless reblog? - self.text.scan(Account::MENTION_RE).each do |match| - uri = match.first - username, domain = uri.split('@') - account = Account.find_by(username: username, domain: domain) - - m << account unless account.nil? - end + if @mentions.nil? + @mentions = [] + @mentions << thread.account if reply? + @mentions << reblog.account if reblog? + self.mentioned_accounts.each { |mention| @mentions << mention.account } unless reblog? + @mentions = @mentions.uniq end - m.uniq + @mentions end def ancestors diff --git a/app/views/api/statuses/show.rabl b/app/views/api/statuses/show.rabl index 6c4063b80..b4a73f9a6 100644 --- a/app/views/api/statuses/show.rabl +++ b/app/views/api/statuses/show.rabl @@ -2,7 +2,7 @@ object @status attributes :id, :created_at, :in_reply_to_id node(:uri) { |status| uri_for_target(status) } -node(:content) { |status| status.local? ? linkify(status) : status.content } +node(:content) { |status| content_for_status(status) } node(:url) { |status| url_for_target(status) } node(:reblogs_count) { |status| status.reblogs_count } node(:favourites_count) { |status| status.favourites_count } diff --git a/spec/models/status_spec.rb b/spec/models/status_spec.rb index 13c5fa3d1..2bf2c744f 100644 --- a/spec/models/status_spec.rb +++ b/spec/models/status_spec.rb @@ -50,7 +50,7 @@ RSpec.describe Status, type: :model do end it 'returns mentioned accounts' do - subject.text = 'Hello @bob!' + subject.mentioned_accounts.create!(account: bob) expect(subject.mentions).to include bob end