Sanitize html (#3708)

[lemmy.git] / crates / api_crud / src / post / update.rs

diff --git a/crates/api_crud/src/post/update.rs b/crates/api_crud/src/post/update.rs
index fbbadbc61278795aa0c4f730a286d1cadda5da05..f3be5f6af903a830a756d0e85a3c09e6d34cfb6d 100644 (file)
--- a/crates/api_crud/src/post/update.rs
+++ b/crates/api_crud/src/post/update.rs
@@ -5,7 +5,12 @@ use lemmy_api_common::{
   context::LemmyContext,
   post::{EditPost, PostResponse},
   request::fetch_site_data,
-  utils::{check_community_ban, local_site_to_slur_regex, local_user_view_from_jwt},
+  utils::{
+    check_community_ban,
+    local_site_to_slur_regex,
+    local_user_view_from_jwt,
+    sanitize_html_opt,
+  },
 };
 use lemmy_db_schema::{
   source::{
@@ -39,7 +44,6 @@ impl PerformCrud for EditPost {
     // TODO No good way to handle a clear.
     // Issue link: https://github.com/LemmyNet/lemmy/issues/2287
     let url = Some(data_url.map(clean_url_params).map(Into::into));
-    let body = diesel_option_overwrite(&data.body);
 
     let slur_regex = local_site_to_slur_regex(&local_site);
     check_slurs_opt(&data.name, &slur_regex)?;
@@ -75,6 +79,12 @@ impl PerformCrud for EditPost {
       .map(|u| (Some(u.title), Some(u.description), Some(u.embed_video_url)))
       .unwrap_or_default();
 
+    let name = sanitize_html_opt(&data.name);
+    let body = sanitize_html_opt(&data.body);
+    let body = diesel_option_overwrite(body);
+    let embed_title = embed_title.map(|e| sanitize_html_opt(&e));
+    let embed_description = embed_description.map(|e| sanitize_html_opt(&e));
+
     let language_id = self.language_id;
     CommunityLanguage::is_allowed_community_language(
       &mut context.pool(),
@@ -84,7 +94,7 @@ impl PerformCrud for EditPost {
     .await?;
 
     let post_form = PostUpdateForm::builder()
-      .name(data.name.clone())
+      .name(name)
       .url(url)
       .body(body)
       .nsfw(data.nsfw)