From 49347a0a8b64559192d8f29f1237308025a48fd4 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Tue, 17 Oct 2017 16:53:10 +0200 Subject: Escape opengraph/oembed tags --- server/controllers/client.ts | 19 +++++++++++-------- server/helpers/core-utils.ts | 17 +++++++++++++++++ 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/server/controllers/client.ts b/server/controllers/client.ts index e3c962058..6a2ac4aab 100644 --- a/server/controllers/client.ts +++ b/server/controllers/client.ts @@ -10,7 +10,7 @@ import { STATIC_MAX_AGE, OPENGRAPH_AND_OEMBED_COMMENT } from '../initializers' -import { root, readFileBufferPromise } from '../helpers' +import { root, readFileBufferPromise, escapeHTML } from '../helpers' import { VideoInstance } from '../models' const clientsRouter = express.Router() @@ -47,21 +47,24 @@ function addOpenGraphAndOEmbedTags (htmlStringPage: string, video: VideoInstance const previewUrl = CONFIG.WEBSERVER.URL + STATIC_PATHS.PREVIEWS + video.getPreviewName() const videoUrl = CONFIG.WEBSERVER.URL + '/videos/watch/' + video.uuid + const videoName = escapeHTML(video.name) + const videoDescription = escapeHTML(video.description) + const openGraphMetaTags = { 'og:type': 'video', - 'og:title': video.name, + 'og:title': videoName, 'og:image': previewUrl, 'og:url': videoUrl, - 'og:description': video.description, + 'og:description': videoDescription, - 'name': video.name, - 'description': video.description, + 'name': videoName, + 'description': videoDescription, 'image': previewUrl, 'twitter:card': 'summary_large_image', 'twitter:site': '@Chocobozzz', - 'twitter:title': video.name, - 'twitter:description': video.description, + 'twitter:title': videoName, + 'twitter:description': videoDescription, 'twitter:image': previewUrl } @@ -69,7 +72,7 @@ function addOpenGraphAndOEmbedTags (htmlStringPage: string, video: VideoInstance { type: 'application/json+oembed', href: CONFIG.WEBSERVER.URL + '/services/oembed?url=' + encodeURIComponent(videoUrl), - title: video.name + title: videoName } ] diff --git a/server/helpers/core-utils.ts b/server/helpers/core-utils.ts index 3118dc500..33bbdca8b 100644 --- a/server/helpers/core-utils.ts +++ b/server/helpers/core-utils.ts @@ -38,6 +38,22 @@ function root () { return join.apply(null, paths) } +// Thanks: https://stackoverflow.com/a/12034334 +function escapeHTML (stringParam) { + const entityMap = { + '&': '&', + '<': '<', + '>': '>', + '"': '"', + "'": ''', + '/': '/', + '`': '`', + '=': '=' + } + + return String(stringParam).replace(/[&<>"'`=\/]/g, s => entityMap[s]) +} + function promisify0 (func: (cb: (err: any, result: A) => void) => void): () => Promise { return function promisified (): Promise { return new Promise((resolve: (arg: A) => void, reject: (err: any) => void) => { @@ -101,6 +117,7 @@ const statPromise = promisify1(stat) export { isTestInstance, root, + escapeHTML, promisify0, promisify1, -- cgit v1.2.3