CommonAPI: Escape HTML for chat messages.

author: lain <lain@soykaf.club> 2020-04-16 12:56:29 +0200
committer: lain <lain@soykaf.club> 2020-04-16 12:56:29 +0200
commit: 3d4eca5dd4be297f03c244497d78db03e82a9d81 (patch)
tree: e89227817b67333d48999be46f7eb39f47ff68ce /lib/pleroma/web/common_api/common_api.ex
parent: 6ace22b56a3ced833bd990de5715048d6bd32f80 (diff)
download: pleroma-3d4eca5dd4be297f03c244497d78db03e82a9d81.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/pleroma/web/common_api/common_api.ex b/lib/pleroma/web/common_api/common_api.ex
index c306c1e96..2c25850db 100644
--- a/lib/pleroma/web/common_api/common_api.ex
+++ b/lib/pleroma/web/common_api/common_api.ex
@@ -17,6 +17,7 @@ defmodule Pleroma.Web.CommonAPI do
   alias Pleroma.Web.ActivityPub.Pipeline
   alias Pleroma.Web.ActivityPub.Utils
   alias Pleroma.Web.ActivityPub.Visibility
+  alias Pleroma.Formatter
 
   import Pleroma.Web.Gettext
   import Pleroma.Web.CommonAPI.Utils
@@ -28,7 +29,12 @@ defmodule Pleroma.Web.CommonAPI do
     transaction =
       Repo.transaction(fn ->
         with {_, {:ok, chat_message_data, _meta}} <-
-               {:build_object, Builder.chat_message(user, recipient.ap_id, content)},
+               {:build_object,
+                Builder.chat_message(
+                  user,
+                  recipient.ap_id,
+                  content |> Formatter.html_escape("text/plain")
+                )},
              {_, {:ok, chat_message_object}} <-
                {:create_object, Object.create(chat_message_data)},
              {_, {:ok, create_activity_data, _meta}} <-
author	lain <lain@soykaf.club>	2020-04-16 12:56:29 +0200
committer	lain <lain@soykaf.club>	2020-04-16 12:56:29 +0200
commit	3d4eca5dd4be297f03c244497d78db03e82a9d81 (patch)
tree	e89227817b67333d48999be46f7eb39f47ff68ce /lib/pleroma/web/common_api/common_api.ex
parent	6ace22b56a3ced833bd990de5715048d6bd32f80 (diff)
download	pleroma-3d4eca5dd4be297f03c244497d78db03e82a9d81.tar.gz