Revalidate HTML so we don't need to trust servers

Question

Revalidate HTML so we don't need to trust servers

jeffkaufman opened this issue 2 years ago · 0 comments

Right now if you add @person@evil.invalid to your users.json then evil.invalid will be able to XSS someone who logs in as @person@evil.invalid. This happens because we trust Mastodon's HTML sanitization. This isn't that bad, since they can't XSS any other users. Still, it would be a bit better if we resanitized the HTML before trusting it.