From 23db8f3dd87b74bbae0a4b869fbbf930699e5743 Mon Sep 17 00:00:00 2001
From: Andrew Godwin <andrew@aeracode.org>
Date: Wed, 21 Dec 2022 20:48:39 +0000
Subject: [PATCH] Make summary HTML-formatted (and safe!)

---
 static/css/style.css            | 4 ++++
 users/services/identity.py      | 9 +++++++++
 users/views/settings/profile.py | 6 ++++--
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/static/css/style.css b/static/css/style.css
index cc47d59..9cb8513 100644
--- a/static/css/style.css
+++ b/static/css/style.css
@@ -835,6 +835,10 @@ h1.identity small {
     height: 22px;
 }
 
+.bio p {
+    margin: 0 0 10px 0;
+}
+
 .system-note {
     background: var(--color-bg-menu);
     color: var(--color-text-dull);
diff --git a/users/services/identity.py b/users/services/identity.py
index 8cc7cb0..6558275 100644
--- a/users/services/identity.py
+++ b/users/services/identity.py
@@ -1,7 +1,9 @@
 from typing import cast
 
 from django.db import models
+from django.template.defaultfilters import linebreaks_filter
 
+from core.html import strip_html
 from users.models import Follow, FollowStates, Identity
 
 
@@ -69,3 +71,10 @@ class IdentityService:
             "endorsed": False,
             "note": "",
         }
+
+    def set_summary(self, summary: str):
+        """
+        Safely sets a summary and turns linebreaks into HTML
+        """
+        self.identity.summary = linebreaks_filter(strip_html(summary))
+        self.identity.save()
diff --git a/users/views/settings/profile.py b/users/views/settings/profile.py
index 47417fb..2e53abf 100644
--- a/users/views/settings/profile.py
+++ b/users/views/settings/profile.py
@@ -5,9 +5,11 @@ from django.utils.decorators import method_decorator
 from django.views.generic import FormView
 
 from core.files import resize_image
+from core.html import html_to_plaintext
 from core.models.config import Config
 from users.decorators import identity_required
 from users.models import IdentityStates
+from users.services import IdentityService
 
 
 @method_decorator(identity_required, name="dispatch")
@@ -50,7 +52,7 @@ class ProfilePage(FormView):
         identity = self.request.identity
         return {
             "name": identity.name,
-            "summary": identity.summary,
+            "summary": html_to_plaintext(identity.summary),
             "icon": identity.icon and identity.icon.url,
             "image": identity.image and identity.image.url,
             "discoverable": identity.discoverable,
@@ -61,8 +63,8 @@ class ProfilePage(FormView):
         # Update basic info
         identity = self.request.identity
         identity.name = form.cleaned_data["name"]
-        identity.summary = form.cleaned_data["summary"]
         identity.discoverable = form.cleaned_data["discoverable"]
+        IdentityService(identity).set_summary(form.cleaned_data["summary"])
         # Resize images
         icon = form.cleaned_data.get("icon")
         image = form.cleaned_data.get("image")