merge: laxer HTML sanitisation for admin-controlled text - fixes #447 (!454)

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/454

Closes #447

Approved-by: Marie <marie@kaifa.ch>

packages/backend/src/server/api/mastodon/converters.ts

@@ -279,7 +279,8 @@ export class MastoConverters {
 			emoji_reactions: status.emoji_reactions,
 			bookmarked: false,
 			quote: isQuote ? await this.convertReblog(status.reblog) : false,
-			edited_at: note.updatedAt?.toISOString(),
+			// optional chaining cannot be used, as it evaluates to undefined, not null
+			edited_at: note.updatedAt ? note.updatedAt.toISOString() : null,
 		});
 	}
 }

packages/backend/src/server/web/views/base.pug

@@ -43,7 +43,6 @@ html
 		link(rel='stylesheet' href='/assets/phosphor-icons/bold/style.css')
 		link(rel='stylesheet' href='/static-assets/fonts/sharkey-icons/style.css')
 		link(rel='modulepreload' href=`/vite/${clientEntry.file}`)
-		script(src='/client-assets/libopenmpt.js')
 
 		if !config.clientManifestExists
 				script(type="module" src="/vite/@vite/client")
@@ -73,7 +72,6 @@ html
 		script.
 			var VERSION = "#{version}";
 			var CLIENT_ENTRY = "#{clientEntry.file}";
-			window.libopenmpt = window.Module;
 
 		script(type='application/json' id='misskey_meta' data-generated-at=now)
 			!= metaJson

packages/frontend/src/components/MkSignupDialog.rules.vue

@@ -65,7 +65,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 import { computed, ref } from 'vue';
 import { instance } from '@/instance.js';
 import { i18n } from '@/i18n.js';
-import sanitizeHtml from 'sanitize-html';
+import sanitizeHtml from '@/scripts/sanitize-html.js';
 import MkButton from '@/components/MkButton.vue';
 import MkFolder from '@/components/MkFolder.vue';
 import MkSwitch from '@/components/MkSwitch.vue';

packages/frontend/src/components/MkVisitorDashboard.vue

@@ -56,7 +56,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 <script lang="ts" setup>
 import { ref } from 'vue';
 import * as Misskey from 'misskey-js';
-import sanitizeHtml from 'sanitize-html';
+import sanitizeHtml from '@/scripts/sanitize-html.js';
 import XSigninDialog from '@/components/MkSigninDialog.vue';
 import XSignupDialog from '@/components/MkSignupDialog.vue';
 import MkButton from '@/components/MkButton.vue';

packages/frontend/src/pages/about.vue

@@ -130,7 +130,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 </template>
 
 <script lang="ts" setup>
-import sanitizeHtml from 'sanitize-html';
+import sanitizeHtml from '@/scripts/sanitize-html.js';
 import { computed, watch, ref } from 'vue';
 import * as Misskey from 'misskey-js';
 import XEmojis from './about.emojis.vue';

packages/frontend/src/scripts/chiptune2.ts

@@ -1,9 +1,12 @@
-/* global libopenmpt UTF8ToString writeAsciiToMemory */
+// @ts-nocheck
 /* eslint-disable */
 
 const ChiptuneAudioContext = window.AudioContext || window.webkitAudioContext;
 
-export function ChiptuneJsConfig (repeatCount: number, context: AudioContext) {
+let libopenmpt
+let libopenmptLoadPromise
+
+export function ChiptuneJsConfig (repeatCount?: number, context?: AudioContext) {
 	this.repeatCount = repeatCount;
 	this.context = context;
 }
@@ -20,6 +23,28 @@ export function ChiptuneJsPlayer (config: object) {
 	this.volume = 1;
 }
 
+ChiptuneJsPlayer.prototype.initialize = function() {
+	if (libopenmptLoadPromise) return libopenmptLoadPromise;
+	if (libopenmpt) return Promise.resolve();
+
+	libopenmptLoadPromise = new Promise(async (resolve, reject) => {
+		try {
+			const { Module } = await import('./libopenmpt/libopenmpt.js');
+			await new Promise((resolve) => {
+				Module['onRuntimeInitialized'] = resolve;
+			})
+			libopenmpt = Module;
+			resolve()
+		} catch (e) {
+			reject(e)
+		} finally {
+			libopenmptLoadPromise = undefined;
+		}
+	})
+
+	return libopenmptLoadPromise;
+}
+
 ChiptuneJsPlayer.prototype.constructor = ChiptuneJsPlayer;
 
 ChiptuneJsPlayer.prototype.fireEvent = function (eventName: string, response) {
@@ -61,12 +86,12 @@ ChiptuneJsPlayer.prototype.seek = function (position: number) {
 
 ChiptuneJsPlayer.prototype.metadata = function () {
 	const data = {};
-	const keys = UTF8ToString(libopenmpt._openmpt_module_get_metadata_keys(this.currentPlayingNode.modulePtr)).split(';');
+	const keys = libopenmpt.UTF8ToString(libopenmpt._openmpt_module_get_metadata_keys(this.currentPlayingNode.modulePtr)).split(';');
 	let keyNameBuffer = 0;
 	for (const key of keys) {
 		keyNameBuffer = libopenmpt._malloc(key.length + 1);
-		writeAsciiToMemory(key, keyNameBuffer);
+		libopenmpt.writeAsciiToMemory(key, keyNameBuffer);
-		data[key] = UTF8ToString(libopenmpt._openmpt_module_get_metadata(this.currentPlayingNode.modulePtr, keyNameBuffer));
+		data[key] = libopenmpt.UTF8ToString(libopenmpt._openmpt_module_get_metadata(this.currentPlayingNode.modulePtr, keyNameBuffer));
 		libopenmpt._free(keyNameBuffer);
 	}
 	return data;
@@ -84,7 +109,7 @@ ChiptuneJsPlayer.prototype.unlock = function () {
 };
 
 ChiptuneJsPlayer.prototype.load = function (input) {
-	return new Promise((resolve, reject) => {
+	return this.initialize().then(() => new Promise((resolve, reject) => {
 		if(this.touchLocked) {
 			this.unlock();
 		}
@@ -106,7 +131,7 @@ ChiptuneJsPlayer.prototype.load = function (input) {
 				reject(error);
 			});
 		}
-	});
+	}));
 };
 
 ChiptuneJsPlayer.prototype.play = function (buffer: ArrayBuffer) {
@@ -180,7 +205,7 @@ ChiptuneJsPlayer.prototype.getPatternNumRows = function (pattern: number) {
 
 ChiptuneJsPlayer.prototype.getPatternRowChannel = function (pattern: number, row: number, channel: number) {
 	if (this.currentPlayingNode && this.currentPlayingNode.modulePtr) {
-		return UTF8ToString(libopenmpt._openmpt_module_format_pattern_row_channel(this.currentPlayingNode.modulePtr, pattern, row, channel, 0, true));
+		return libopenmpt.UTF8ToString(libopenmpt._openmpt_module_format_pattern_row_channel(this.currentPlayingNode.modulePtr, pattern, row, channel, 0, true));
 	}
 	return '';
 };

packages/frontend/src/scripts/libopenmpt/LICENSE

@@ -0,0 +1,25 @@
+Copyright (c) 2004-2024, OpenMPT Project Developers and Contributors
+Copyright (c) 1997-2003, Olivier Lapicque
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the OpenMPT project nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

packages/frontend/src/scripts/libopenmpt/readme.md

@@ -0,0 +1,23 @@
+modifications made to `libopenmpt.js` (can be taken from https://lib.openmpt.org/libopenmpt/download/):
+
+at the beginning of the file:
+```js
+// @ts-nocheck
+/* eslint-disable */
+```
+
+at the end of the file:
+```js
+Module.UTF8ToString = UTF8ToString;
+Module.writeAsciiToMemory = writeAsciiToMemory;
+export { Module }
+```
+
+replace
+```
+wasmBinaryFile="libopenmpt.wasm"
+```
+with
+```
+wasmBinaryFile=new URL("./libopenmpt.wasm", import.meta.url).href
+```

packages/frontend/src/scripts/sanitize-html.ts

@@ -0,0 +1,18 @@
+/*
+ * SPDX-FileCopyrightText: dakkar and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+import original from 'sanitize-html';
+
+export default function sanitizeHtml(str: string | null): string | null {
+	if (str == null) return str;
+	return original(str, {
+		allowedTags: original.defaults.allowedTags.concat(['img', 'audio', 'video', 'center']),
+		allowedAttributes: {
+			...original.defaults.allowedAttributes,
+			a: original.defaults.allowedAttributes.a.concat(['style']),
+			img: original.defaults.allowedAttributes.img.concat(['style']),
+		},
+	});
+}

packages/frontend/vite.config.ts

@@ -8,7 +8,7 @@ import meta from '../../package.json';
 import pluginUnwindCssModuleClassName from './lib/rollup-plugin-unwind-css-module-class-name.js';
 import pluginJson5 from './vite.json5.js';
 
-const extensions = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.json', '.json5', '.svg', '.sass', '.scss', '.css', '.vue'];
+const extensions = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.json', '.json5', '.svg', '.sass', '.scss', '.css', '.vue', '.wasm'];
 
 const hash = (str: string, seed = 0): number => {
 	let h1 = 0xdeadbeef ^ seed,

packages/megalodon/src/entities/status.ts

@@ -19,6 +19,7 @@ namespace Entity {
     content: string
     plain_content?: string | null
     created_at: string
+    edited_at: string | null
     emojis: Emoji[]
     replies_count: number
     reblogs_count: number

packages/megalodon/src/friendica/api_client.ts

@@ -725,6 +725,7 @@ namespace FriendicaAPI {
       content: s.content,
       plain_content: null,
       created_at: s.created_at,
+      edited_at: s.edited_at || null,
       emojis: Array.isArray(s.emojis) ? s.emojis.map(e => emoji(e)) : [],
       replies_count: s.replies_count,
       reblogs_count: s.reblogs_count,

packages/megalodon/src/friendica/entities/status.ts

@@ -17,6 +17,7 @@ namespace FriendicaEntity {
     reblog: Status | null
     content: string
     created_at: string
+    edited_at?: string | null
     emojis: Emoji[]
     replies_count: number
     reblogs_count: number

packages/megalodon/src/mastodon/api_client.ts

@@ -628,6 +628,7 @@ namespace MastodonAPI {
       content: s.content,
       plain_content: null,
       created_at: s.created_at,
+      edited_at: s.edited_at || null,
       emojis: Array.isArray(s.emojis) ? s.emojis.map(e => emoji(e)) : [],
       replies_count: s.replies_count,
       reblogs_count: s.reblogs_count,

packages/megalodon/src/mastodon/entities/status.ts

@@ -18,6 +18,7 @@ namespace MastodonEntity {
     reblog: Status | null
     content: string
     created_at: string
+    edited_at?: string | null
     emojis: Emoji[]
     replies_count: number
     reblogs_count: number

packages/megalodon/src/misskey/api_client.ts

@@ -283,6 +283,7 @@ namespace MisskeyAPI {
           : '',
         plain_content: n.text ? n.text : null,
         created_at: n.createdAt,
+        edited_at: n.updatedAt || null,
         emojis: mapEmojis(n.emojis).concat(mapReactionEmojis(n.reactionEmojis)),
         replies_count: n.repliesCount,
         reblogs_count: n.renoteCount,

packages/megalodon/src/misskey/entities/note.ts

@@ -7,6 +7,7 @@ namespace MisskeyEntity {
   export type Note = {
     id: string
     createdAt: string
+    updatedAt?: string | null
     userId: string
     user: User
     text: string | null

packages/megalodon/src/pleroma/api_client.ts

@@ -357,6 +357,7 @@ namespace PleromaAPI {
       content: s.content,
       plain_content: s.pleroma.content?.['text/plain'] ? s.pleroma.content['text/plain'] : null,
       created_at: s.created_at,
+      edited_at: s.edited_at || null,
       emojis: Array.isArray(s.emojis) ? s.emojis.map(e => emoji(e)) : [],
       replies_count: s.replies_count,
       reblogs_count: s.reblogs_count,

packages/megalodon/src/pleroma/entities/status.ts

@@ -18,6 +18,7 @@ namespace PleromaEntity {
     reblog: Status | null
     content: string
     created_at: string
+    edited_at?: string | null
     emojis: Emoji[]
     replies_count: number
     reblogs_count: number

packages/megalodon/test/integration/mastodon/api_client.spec.ts

@@ -49,6 +49,7 @@ const status: Entity.Status = {
   content: 'hoge',
   plain_content: null,
   created_at: '2019-03-26T21:40:32',
+  edited_at: null,
   emojis: [],
   replies_count: 0,
   reblogs_count: 0,

packages/megalodon/test/unit/parser.spec.ts

@@ -38,6 +38,7 @@ const status: Entity.Status = {
   content: 'hoge',
   plain_content: 'hoge',
   created_at: '2019-03-26T21:40:32',
+  edited_at: null,
   emojis: [],
   replies_count: 0,
   reblogs_count: 0,

packages/megalodon/test/unit/webo_socket.spec.ts

@@ -37,6 +37,7 @@ const status: Entity.Status = {
   content: 'hoge',
   plain_content: 'hoge',
   created_at: '2019-03-26T21:40:32',
+  edited_at: null,
   emojis: [],
   replies_count: 0,
   reblogs_count: 0,