mirror of
https://github.com/ClaperCo/Claper.git
synced 2026-07-10 04:24:14 +02:00
* Fix critical security vulnerabilities Address 5 critical findings from security audit: - Sanitize custom embed HTML to prevent stored XSS (strip all non-iframe content) - Escape URLs in format_body/1 to prevent reflected XSS via post messages - Add authorization check to form export endpoint (IDOR fix) - Replace String.to_atom/1 on user input with explicit whitelists (8 locations) - Add IP-based rate limiting on authentication endpoints via Hammer * Start rate limiter before endpoint in supervision tree * Update CHANGELOG
25 lines
637 B
Elixir
25 lines
637 B
Elixir
defmodule ClaperWeb.Helpers do
|
|
def format_body(body) do
|
|
url_regex = ~r/(https?:\/\/[^\s]+)/
|
|
|
|
body
|
|
|> String.split(url_regex, include_captures: true)
|
|
|> Enum.map(fn
|
|
"http" <> _rest = url ->
|
|
escaped = url |> Phoenix.HTML.html_escape() |> Phoenix.HTML.safe_to_string()
|
|
|
|
Phoenix.HTML.raw(
|
|
~s(<a href="#{escaped}" target="_blank" class="cursor-pointer text-primary-500 hover:underline font-medium">#{escaped}</a>)
|
|
)
|
|
|
|
text ->
|
|
text
|
|
end)
|
|
end
|
|
|
|
def body_without_links(text) do
|
|
url_regex = ~r/(https?:\/\/[^\s]+)/
|
|
String.replace(text, url_regex, "")
|
|
end
|
|
end
|