fix: address security and quality issues from code review

Security fixes: - Fix XSS in Atom feed: escape user-supplied URLs in HTML content - Wrap signup request approval in a transaction to prevent partial state on crash (user created but request still pending) - Stop leaking internal error messages to admin UI - Add request body size limit on API import endpoint - Log SetMustResetPassword errors instead of silently discarding Correctness fixes: - Handle errors from API fave update/delete instead of returning success on failure - Use actual data timestamp for feed <updated> instead of time.Now() (improves HTTP caching) - Replace hardcoded 10000 export limit with named constant (maxExportFaves = 100000) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 16:19:44 +02:00 · 2026-03-29 16:19:44 +02:00 · 395b1b7523
commit 395b1b7523
parent fe4c751289
5 changed files with 63 additions and 21 deletions
--- a/internal/handler/feed.go
+++ b/internal/handler/feed.go
@ -4,6 +4,7 @@ package handler

 import (
 	"errors"
+	"html"
 	"log/slog"
 	"net/http"
 	"strconv"
@ -42,7 +43,7 @@ func (h *Handler) handleFeedGlobal(w http.ResponseWriter, r *http.Request) {
 		Title:       siteName + " — Siste favoritter",
 		Link:        &feeds.Link{Href: baseURL},
 		Description: "Siste offentlige favoritter",
-		Updated:     time.Now(),
+		Updated:     feedUpdatedTime(faves),
 	}

 	feed.Items = favesToFeedItems(faves, baseURL)
@ -84,7 +85,7 @@ func (h *Handler) handleFeedUser(w http.ResponseWriter, r *http.Request) {
 	feed := &feeds.Feed{
 		Title:   user.DisplayNameOrUsername() + " sine favoritter",
 		Link:    &feeds.Link{Href: baseURL + "/u/" + user.Username},
-		Updated: time.Now(),
+		Updated: feedUpdatedTime(faves),
 	}

 	feed.Items = favesToFeedItems(faves, baseURL)
@ -110,7 +111,7 @@ func (h *Handler) handleFeedTag(w http.ResponseWriter, r *http.Request) {
 	feed := &feeds.Feed{
 		Title:   "Favoritter med merkelapp: " + tagName,
 		Link:    &feeds.Link{Href: baseURL + "/tags/" + tagName},
-		Updated: time.Now(),
+		Updated: feedUpdatedTime(faves),
 	}

 	feed.Items = favesToFeedItems(faves, baseURL)
@ -129,7 +130,8 @@ func favesToFeedItems(faves []*model.Fave, baseURL string) []*feeds.Item {
 		}

 		if f.URL != "" {
-			item.Content = `<p><a href="` + f.URL + `">` + f.URL + `</a></p>`
+			escaped := html.EscapeString(f.URL)
+			item.Content = `<p><a href="` + escaped + `">` + escaped + `</a></p>`
 		}

 		if f.ImagePath != "" {
@ -155,6 +157,15 @@ func (h *Handler) writeAtom(w http.ResponseWriter, feed *feeds.Feed) {
 	w.Write([]byte(atom))
 }

+// feedUpdatedTime returns the most recent UpdatedAt from the faves,
+// falling back to now if the list is empty.
+func feedUpdatedTime(faves []*model.Fave) time.Time {
+	if len(faves) > 0 {
+		return faves[0].UpdatedAt
+	}
+	return time.Now()
+}
+
 func itoa(n int64) string {
 	return strconv.FormatInt(n, 10)
 }