Files
Claper/lib/claper_web/helpers.ex
Alexandre Lion 8f46837900 Fix critical security vulnerabilities (#211)
* Fix critical security vulnerabilities

Address 5 critical findings from security audit:
- Sanitize custom embed HTML to prevent stored XSS (strip all non-iframe content)
- Escape URLs in format_body/1 to prevent reflected XSS via post messages
- Add authorization check to form export endpoint (IDOR fix)
- Replace String.to_atom/1 on user input with explicit whitelists (8 locations)
- Add IP-based rate limiting on authentication endpoints via Hammer

* Start rate limiter before endpoint in supervision tree

* Update CHANGELOG
2026-02-09 19:18:14 +01:00

25 lines
637 B
Elixir

defmodule ClaperWeb.Helpers do
def format_body(body) do
url_regex = ~r/(https?:\/\/[^\s]+)/
body
|> String.split(url_regex, include_captures: true)
|> Enum.map(fn
"http" <> _rest = url ->
escaped = url |> Phoenix.HTML.html_escape() |> Phoenix.HTML.safe_to_string()
Phoenix.HTML.raw(
~s(<a href="#{escaped}" target="_blank" class="cursor-pointer text-primary-500 hover:underline font-medium">#{escaped}</a>)
)
text ->
text
end)
end
def body_without_links(text) do
url_regex = ~r/(https?:\/\/[^\s]+)/
String.replace(text, url_regex, "")
end
end