From 8b7c362611543fcbc80978a4c5de1a4e81e4bdd8 Mon Sep 17 00:00:00 2001
From: SphericalKat <amolele@gmail.com>
Date: Tue, 17 Aug 2021 03:00:24 +0530
Subject: [PATCH] fix(pastes): sanitize paste content while rendering

Signed-off-by: SphericalKat <amolele@gmail.com>
---
 assets/css/highlight.css                      | 4 ++++
 lib/ketbin_web/controllers/page_controller.ex | 2 +-
 lib/ketbin_web/templates/page/show.html.eex   | 2 +-
 mix.exs                                       | 3 ++-
 mix.lock                                      | 3 +++
 5 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/assets/css/highlight.css b/assets/css/highlight.css
index 475ca40..7969f7a 100644
--- a/assets/css/highlight.css
+++ b/assets/css/highlight.css
@@ -233,3 +233,7 @@
 .source .block {
   display: inline;
 }
+
+span .block {
+	display: inline;
+}
\ No newline at end of file
diff --git a/lib/ketbin_web/controllers/page_controller.ex b/lib/ketbin_web/controllers/page_controller.ex
index ed1b242..26ae932 100644
--- a/lib/ketbin_web/controllers/page_controller.ex
+++ b/lib/ketbin_web/controllers/page_controller.ex
@@ -30,7 +30,7 @@ defmodule KetbinWeb.PageController do
   def showlink(%{assigns: %{show_edit: show_edit}} = conn, %{"id" => id}) do
     [head | tail] = String.split(id, ".")
     paste = Pastes.get_paste!(head)
-    render(conn, "show.html", paste: paste, show_edit: show_edit, extension: List.first(tail) || "")
+    render(conn, "show.html", paste: paste, show_edit: show_edit, extension: (if tail == [], do: "", else: tail))
   end
 
   def raw(conn, %{"id" => id}) do
diff --git a/lib/ketbin_web/templates/page/show.html.eex b/lib/ketbin_web/templates/page/show.html.eex
index 5f0c5e6..067442c 100644
--- a/lib/ketbin_web/templates/page/show.html.eex
+++ b/lib/ketbin_web/templates/page/show.html.eex
@@ -8,5 +8,5 @@
 		</a>
 		<% end %>
 	</div>
-	<code class="break-word px-6 py-4 h-full w-full nomarkdown overflow-y-auto"><%= raw Ketbin.Utils.Syntax.highlight_text(@paste.content, @extension) %></code>
+	<code class="break-word px-6 py-4 h-full w-full nomarkdown overflow-y-auto"><%= raw Ketbin.Utils.Syntax.highlight_text(@paste.content, @extension) |> HtmlSanitizeEx.html5 %></code>
 </div>
diff --git a/mix.exs b/mix.exs
index bbbecdf..c64d1ca 100644
--- a/mix.exs
+++ b/mix.exs
@@ -47,7 +47,8 @@ defmodule Ketbin.MixProject do
       {:jason, "~> 1.0"},
       {:plug_cowboy, "~> 2.0"},
       {:phx_gen_auth, "~> 0.7", only: [:dev], runtime: false},
-      {:rustler, "~> 0.22-rc"}
+      {:rustler, "~> 0.22-rc"},
+      {:html_sanitize_ex, "~> 1.4"},
     ]
   end
 
diff --git a/mix.lock b/mix.lock
index c0c34ee..e1b0769 100644
--- a/mix.lock
+++ b/mix.lock
@@ -12,8 +12,11 @@
   "elixir_make": {:hex, :elixir_make, "0.6.2", "7dffacd77dec4c37b39af867cedaabb0b59f6a871f89722c25b28fcd4bd70530", [:mix], [], "hexpm", "03e49eadda22526a7e5279d53321d1cced6552f344ba4e03e619063de75348d9"},
   "file_system": {:hex, :file_system, "0.2.10", "fb082005a9cd1711c05b5248710f8826b02d7d1784e7c3451f9c1231d4fc162d", [:mix], [], "hexpm", "41195edbfb562a593726eda3b3e8b103a309b733ad25f3d642ba49696bf715dc"},
   "gettext": {:hex, :gettext, "0.18.2", "7df3ea191bb56c0309c00a783334b288d08a879f53a7014341284635850a6e55", [:mix], [], "hexpm", "f9f537b13d4fdd30f3039d33cb80144c3aa1f8d9698e47d7bcbcc8df93b1f5c5"},
+  "html_entities": {:hex, :html_entities, "0.5.2", "9e47e70598da7de2a9ff6af8758399251db6dbb7eebe2b013f2bbd2515895c3c", [:mix], [], "hexpm", "c53ba390403485615623b9531e97696f076ed415e8d8058b1dbaa28181f4fdcc"},
+  "html_sanitize_ex": {:hex, :html_sanitize_ex, "1.4.1", "e8a67da405fe9f0d1be121a40a60f70811192033a5b8d00a95dddd807f5e053e", [:mix], [{:mochiweb, "~> 2.15", [hex: :mochiweb, repo: "hexpm", optional: false]}], "hexpm", "68d92656f47cd73598c45ad2394561f025c8c65d146001b955fd7b517858962a"},
   "jason": {:hex, :jason, "1.2.2", "ba43e3f2709fd1aa1dce90aaabfd039d000469c05c56f0b8e31978e03fa39052", [:mix], [{:decimal, "~> 1.0 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "18a228f5f0058ee183f29f9eae0805c6e59d61c3b006760668d8d18ff0d12179"},
   "mime": {:hex, :mime, "1.6.0", "dabde576a497cef4bbdd60aceee8160e02a6c89250d6c0b29e56c0dfb00db3d2", [:mix], [], "hexpm", "31a1a8613f8321143dde1dafc36006a17d28d02bdfecb9e95a880fa7aabd19a7"},
+  "mochiweb": {:hex, :mochiweb, "2.21.0", "3fe5c3403606726d7bc6dabbf36f9d634d5364ce7f33ce73442937fa54feec37", [:rebar3], [], "hexpm", "f848bfa1b75c32d56da9d2730245e34df4b39079c5d45d7b966b072ba53f8a13"},
   "phoenix": {:hex, :phoenix, "1.5.10", "3ee7d5c17ff9626d72d374d8fc8909bf00f4323fd15549fbe3abbbd38b5299c8", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix_html, "~> 2.13 or ~> 3.0", [hex: :phoenix_html, repo: "hexpm", optional: true]}, {:phoenix_pubsub, "~> 2.0", [hex: :phoenix_pubsub, repo: "hexpm", optional: false]}, {:plug, "~> 1.10", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 1.0 or ~> 2.2", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:plug_crypto, "~> 1.1.2 or ~> 1.2", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "f9c2eaa5a8fe5a412610c6aa84ccdb6f3e92f333d4df7fbaeb0d5a157dbfb48d"},
   "phoenix_ecto": {:hex, :phoenix_ecto, "4.3.0", "2c69a452c2e0ee8c93345ae1cdc1696ef4877ff9cbb15c305def41960c3c4ebf", [:mix], [{:ecto, "~> 3.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:phoenix_html, "~> 2.14.2 or ~> 3.0", [hex: :phoenix_html, repo: "hexpm", optional: true]}, {:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "0ac491924217550c8f42c81c1f390b5d81517d12ceaf9abf3e701156760a848e"},
   "phoenix_html": {:hex, :phoenix_html, "2.14.3", "51f720d0d543e4e157ff06b65de38e13303d5778a7919bcc696599e5934271b8", [:mix], [{:plug, "~> 1.5", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "efd697a7fff35a13eeeb6b43db884705cba353a1a41d127d118fda5f90c8e80f"},