Sanitize html (#3708)

[lemmy.git] / crates / apub / src / objects / comment.rs

diff --git a/crates/apub/src/objects/comment.rs b/crates/apub/src/objects/comment.rs
index e2a03b8b3f8b69f62be3c8b1fe1ff25ba8f4d106..3b05ed3946e0bb6bc00f4959d70905e6155bcbf8 100644 (file)
--- a/crates/apub/src/objects/comment.rs
+++ b/crates/apub/src/objects/comment.rs
@@ -1,7 +1,6 @@
 use crate::{
   activities::{verify_is_public, verify_person_in_community},
   check_apub_id_valid_with_strictness,
-  fetch_local_site_data,
   mentions::collect_non_local_mentions,
   objects::{read_from_string_or_source, verify_is_remote_object},
   protocol::{
@@ -17,7 +16,10 @@ use activitypub_federation::{
   traits::Object,
 };
 use chrono::NaiveDateTime;
-use lemmy_api_common::{context::LemmyContext, utils::local_site_opt_to_slur_regex};
+use lemmy_api_common::{
+  context::LemmyContext,
+  utils::{local_site_opt_to_slur_regex, sanitize_html},
+};
 use lemmy_db_schema::{
   source::{
     comment::{Comment, CommentInsertForm, CommentUpdateForm},
@@ -29,7 +31,7 @@ use lemmy_db_schema::{
   traits::Crud,
 };
 use lemmy_utils::{
-  error::LemmyError,
+  error::{LemmyError, LemmyErrorType},
   utils::{markdown::markdown_to_html, slurs::remove_slurs, time::convert_datetime},
 };
 use std::ops::Deref;
@@ -67,7 +69,7 @@ impl Object for ApubComment {
     context: &Data<Self::DataType>,
   ) -> Result<Option<Self>, LemmyError> {
     Ok(
-      Comment::read_from_apub_id(context.pool(), object_id)
+      Comment::read_from_apub_id(&mut context.pool(), object_id)
         .await?
         .map(Into::into),
     )
@@ -77,7 +79,7 @@ impl Object for ApubComment {
   async fn delete(self, context: &Data<Self::DataType>) -> Result<(), LemmyError> {
     if !self.deleted {
       let form = CommentUpdateForm::builder().deleted(Some(true)).build();
-      Comment::update(context.pool(), self.id, &form).await?;
+      Comment::update(&mut context.pool(), self.id, &form).await?;
     }
     Ok(())
   }
@@ -85,20 +87,20 @@ impl Object for ApubComment {
   #[tracing::instrument(skip_all)]
   async fn into_json(self, context: &Data<Self::DataType>) -> Result<Note, LemmyError> {
     let creator_id = self.creator_id;
-    let creator = Person::read(context.pool(), creator_id).await?;
+    let creator = Person::read(&mut context.pool(), creator_id).await?;
 
     let post_id = self.post_id;
-    let post = Post::read(context.pool(), post_id).await?;
+    let post = Post::read(&mut context.pool(), post_id).await?;
     let community_id = post.community_id;
-    let community = Community::read(context.pool(), community_id).await?;
+    let community = Community::read(&mut context.pool(), community_id).await?;
 
     let in_reply_to = if let Some(comment_id) = self.parent_comment_id() {
-      let parent_comment = Comment::read(context.pool(), comment_id).await?;
+      let parent_comment = Comment::read(&mut context.pool(), comment_id).await?;
       parent_comment.ap_id.into()
     } else {
       post.ap_id.into()
     };
-    let language = LanguageTag::new_single(self.language_id, context.pool()).await?;
+    let language = LanguageTag::new_single(self.language_id, &mut context.pool()).await?;
     let maa = collect_non_local_mentions(&self, community.actor_id.clone().into(), context).await?;
 
     let note = Note {
@@ -132,19 +134,13 @@ impl Object for ApubComment {
     verify_domains_match(note.attributed_to.inner(), note.id.inner())?;
     verify_is_public(&note.to, &note.cc)?;
     let community = note.community(context).await?;
-    let local_site_data = fetch_local_site_data(context.pool()).await?;
-
-    check_apub_id_valid_with_strictness(
-      note.id.inner(),
-      community.local,
-      &local_site_data,
-      context.settings(),
-    )?;
+
+    check_apub_id_valid_with_strictness(note.id.inner(), community.local, context).await?;
     verify_is_remote_object(note.id.inner(), context.settings())?;
     verify_person_in_community(&note.attributed_to, &community, context).await?;
     let (post, _) = note.get_parents(context).await?;
     if post.locked {
-      return Err(LemmyError::from_message("Post is locked"));
+      return Err(LemmyErrorType::PostIsLocked)?;
     }
     Ok(())
   }
@@ -159,15 +155,17 @@ impl Object for ApubComment {
 
     let content = read_from_string_or_source(&note.content, &note.media_type, &note.source);
 
-    let local_site = LocalSite::read(context.pool()).await.ok();
+    let local_site = LocalSite::read(&mut context.pool()).await.ok();
     let slur_regex = &local_site_opt_to_slur_regex(&local_site);
-    let content_slurs_removed = remove_slurs(&content, slur_regex);
-    let language_id = LanguageTag::to_language_id_single(note.language, context.pool()).await?;
+    let content = remove_slurs(&content, slur_regex);
+    let content = sanitize_html(&content);
+    let language_id =
+      LanguageTag::to_language_id_single(note.language, &mut context.pool()).await?;
 
     let form = CommentInsertForm {
       creator_id: creator.id,
       post_id: post.id,
-      content: content_slurs_removed,
+      content,
       removed: None,
       published: note.published.map(|u| u.naive_local()),
       updated: note.updated.map(|u| u.naive_local()),
@@ -178,13 +176,16 @@ impl Object for ApubComment {
       language_id,
     };
     let parent_comment_path = parent_comment.map(|t| t.0.path);
-    let comment = Comment::create(context.pool(), &form, parent_comment_path.as_ref()).await?;
+    let comment = Comment::create(&mut context.pool(), &form, parent_comment_path.as_ref()).await?;
     Ok(comment.into())
   }
 }
 
 #[cfg(test)]
 pub(crate) mod tests {
+  #![allow(clippy::unwrap_used)]
+  #![allow(clippy::indexing_slicing)]
+
   use super::*;
   use crate::{
     objects::{
@@ -216,14 +217,18 @@ pub(crate) mod tests {
   }
 
   async fn cleanup(data: (ApubPerson, ApubCommunity, ApubPost, ApubSite), context: &LemmyContext) {
-    Post::delete(context.pool(), data.2.id).await.unwrap();
-    Community::delete(context.pool(), data.1.id).await.unwrap();
-    Person::delete(context.pool(), data.0.id).await.unwrap();
-    Site::delete(context.pool(), data.3.id).await.unwrap();
-    LocalSite::delete(context.pool()).await.unwrap();
+    Post::delete(&mut context.pool(), data.2.id).await.unwrap();
+    Community::delete(&mut context.pool(), data.1.id)
+      .await
+      .unwrap();
+    Person::delete(&mut context.pool(), data.0.id)
+      .await
+      .unwrap();
+    Site::delete(&mut context.pool(), data.3.id).await.unwrap();
+    LocalSite::delete(&mut context.pool()).await.unwrap();
   }
 
-  #[actix_rt::test]
+  #[tokio::test]
   #[serial]
   pub(crate) async fn test_parse_lemmy_comment() {
     let context = init_context().await;
@@ -245,11 +250,13 @@ pub(crate) mod tests {
     let to_apub = comment.into_json(&context).await.unwrap();
     assert_json_include!(actual: json, expected: to_apub);
 
-    Comment::delete(context.pool(), comment_id).await.unwrap();
+    Comment::delete(&mut context.pool(), comment_id)
+      .await
+      .unwrap();
     cleanup(data, &context).await;
   }
 
-  #[actix_rt::test]
+  #[tokio::test]
   #[serial]
   async fn test_parse_pleroma_comment() {
     let context = init_context().await;
@@ -275,11 +282,13 @@ pub(crate) mod tests {
     assert!(!comment.local);
     assert_eq!(context.request_count(), 1);
 
-    Comment::delete(context.pool(), comment.id).await.unwrap();
+    Comment::delete(&mut context.pool(), comment.id)
+      .await
+      .unwrap();
     cleanup(data, &context).await;
   }
 
-  #[actix_rt::test]
+  #[tokio::test]
   #[serial]
   async fn test_html_to_markdown_sanitize() {
     let parsed = parse_html("<script></script><b>hello</b>");