microformats.maybe_linked_name: HTML-escape name

Mainly for quote attachments. Also for [GHSA-4w4f-g49g-3f7j](GHSA-4w4f-g49g-3f7j); thank you [@janboddez](https://github.com/janboddez)!
snarfed · Aug 29, 2023 · 2172378 · 2172378
1 parent 62e574c
commit 2172378
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -331,7 +331,7 @@ _Non-breaking changes:_
   * `status_to_object`: add/fix alt text handling for images.
 * `microformats2`:
   * `json_to_html`:
-    * HTML-escape tag names. Fixes [GHSA-4w4f-g49g-3f7j](https://github.com/snarfed/bridgy/security/advisories/GHSA-4w4f-g49g-3f7j); thank you [@janboddez](https://github.com/janboddez)!
+    * HTML-escape tag and quote attachment names. Fixes [GHSA-4w4f-g49g-3f7j](https://github.com/snarfed/bridgy/security/advisories/GHSA-4w4f-g49g-3f7j); thank you [@janboddez](https://github.com/janboddez)!
   * `json_to_object`:
     * Improve handling of items with multiple types by using [post type discovery](https://indiewebcamp.com/post-type-discovery) more aggressively.
     * Normalize ISO-8601 format of `published` and `updated` timestamps.

diff --git a/granary/microformats2.py b/granary/microformats2.py
@@ -137,7 +137,9 @@ def get_html(val):
   Returns:
     string or None
   """
-  if isinstance(val, dict) and val.get('html'):
+  if val is None:
+    return None
+  elif isinstance(val, dict) and val.get('html'):
     return val['html'].strip()
 
   return html.escape(get_text(val), quote=False)
@@ -789,7 +791,9 @@ def json_to_html(obj, parent_props=None):
       props['name'] = [{'yes': 'is attending.',
                         'no': 'is not attending.',
                         'maybe': 'might attend.'}.get(rsvp)]
-    props['name'][0] = f"<data class=\"p-rsvp\" value=\"{rsvp}\">{props['name'][0]}</data>"
+    props['name'][0] = {
+      'html': f"<data class=\"p-rsvp\" value=\"{rsvp}\">{props['name'][0]}</data>",
+    }
 
   elif props.get('invitee') and not props.get('name'):
     props['name'] = ['invited']
@@ -1242,7 +1246,7 @@ def maybe_linked_name(props):
     string HTML
   """
   prop = first_props(props)
-  name = prop.get('name')
+  name = get_html(prop.get('name'))
   url = prop.get('url')
 
   if name is not None:

diff --git a/granary/tests/test_microformats2.py b/granary/tests/test_microformats2.py
@@ -666,6 +666,14 @@ def test_tags_to_html_escapes_html(self):
         'displayName': '<bar>',
       }], 'tag'))
 
+  def test_maybe_linked_name_escapes_html(self):
+    self.assert_equals(
+      '<a class="p-name u-url" href="http://foo">&lt;bar&gt;</a>',
+      microformats2.maybe_linked_name({
+        'url': ['http://foo'],
+        'name': ['<bar>'],
+      }))
+
   def test_json_to_object_with_location_hcard(self):
     obj = microformats2.json_to_object({
       'type': ['h-entry'],