From 3816e9c22de083add2df01980f7c11c1881131cf Mon Sep 17 00:00:00 2001
From: Chizu <chizu@youjo.love>
Date: Fri, 26 May 2023 18:32:06 +0000
Subject: [PATCH 1/4] Apply Patch

---
 lib/pleroma/reverse_proxy.ex | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/pleroma/reverse_proxy.ex b/lib/pleroma/reverse_proxy.ex
index 91cf1bba3..b44f0b90a 100644
--- a/lib/pleroma/reverse_proxy.ex
+++ b/lib/pleroma/reverse_proxy.ex
@@ -251,6 +251,7 @@ defmodule Pleroma.ReverseProxy do
     |> Enum.filter(fn {k, _} -> k in @keep_resp_headers end)
     |> build_resp_cache_headers(opts)
     |> build_resp_content_disposition_header(opts)
+    |> build_csp_headers()
     |> Keyword.merge(Keyword.get(opts, :resp_headers, []))
   end
 
@@ -316,6 +317,10 @@ defmodule Pleroma.ReverseProxy do
     end
   end
 
+  defp build_csp_headers(headers) do
+    List.keystore(headers, "content-security-policy", 0, {"content-security-policy", "sandbox"})
+  end
+
   defp header_length_constraint(headers, limit) when is_integer(limit) and limit > 0 do
     with {_, size} <- List.keyfind(headers, "content-length", 0),
          {size, _} <- Integer.parse(size),

From 8f4f6abc67cfa7af9de9a9486c29f884e9a0dcf5 Mon Sep 17 00:00:00 2001
From: Chizu <chizu@youjo.love>
Date: Fri, 26 May 2023 18:32:21 +0000
Subject: [PATCH 2/4] Apply Patch

---
 lib/pleroma/web/plugs/uploaded_media.ex | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/pleroma/web/plugs/uploaded_media.ex b/lib/pleroma/web/plugs/uploaded_media.ex
index 72f20e8de..cccbfe350 100644
--- a/lib/pleroma/web/plugs/uploaded_media.ex
+++ b/lib/pleroma/web/plugs/uploaded_media.ex
@@ -42,7 +42,7 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do
         conn ->
           conn
       end
-      |> merge_resp_headers([{"content-security-policy", "sandbox"}])
+      |> merge_resp_headers([{"content-security-policy", "script-src none"}])
 
     config = Pleroma.Config.get(Pleroma.Upload)
 

From 016e45b587dde1d00dcfb0835ab927599907661f Mon Sep 17 00:00:00 2001
From: Chizu <chizu@youjo.love>
Date: Sat, 27 May 2023 08:16:14 +0000
Subject: [PATCH 3/4] Apply oembed patch

---
 lib/pleroma/web/rich_media/parsers/o_embed.ex | 4 ++--
 test/pleroma/web/rich_media/parser_test.exs   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/pleroma/web/rich_media/parsers/o_embed.ex b/lib/pleroma/web/rich_media/parsers/o_embed.ex
index 09eabec56..695740d2e 100644
--- a/lib/pleroma/web/rich_media/parsers/o_embed.ex
+++ b/lib/pleroma/web/rich_media/parsers/o_embed.ex
@@ -6,8 +6,8 @@ defmodule Pleroma.Web.RichMedia.Parsers.OEmbed do
   def parse(html, _data) do
     with elements = [_ | _] <- get_discovery_data(html),
          oembed_url when is_binary(oembed_url) <- get_oembed_url(elements),
-         {:ok, oembed_data} <- get_oembed_data(oembed_url) do
-      oembed_data
+         {:ok, oembed_data = %{"html" => html}} <- get_oembed_data(oembed_url) do
+      %{oembed_data | "html" => Pleroma.HTML.filter_tags(html)}
     else
       _e -> %{}
     end
diff --git a/test/pleroma/web/rich_media/parser_test.exs b/test/pleroma/web/rich_media/parser_test.exs
index b6444ac82..5479bc15d 100644
--- a/test/pleroma/web/rich_media/parser_test.exs
+++ b/test/pleroma/web/rich_media/parser_test.exs
@@ -129,7 +129,7 @@ defmodule Pleroma.Web.RichMedia.ParserTest do
               }}
   end
 
-  test "parses OEmbed" do
+  test "parses OEmbed and filters HTML tags" do
     assert Parser.parse("http://example.com/oembed") ==
              {:ok,
               %{
@@ -139,7 +139,7 @@ defmodule Pleroma.Web.RichMedia.ParserTest do
                 "flickr_type" => "photo",
                 "height" => "768",
                 "html" =>
-                  "<a data-flickr-embed=\"true\" href=\"https://www.flickr.com/photos/bees/2362225867/\" title=\"Bacon Lollys by \u202E\u202D\u202Cbees\u202C, on Flickr\"><img src=\"https://farm4.staticflickr.com/3040/2362225867_4a87ab8baf_b.jpg\" width=\"1024\" height=\"768\" alt=\"Bacon Lollys\"></a><script async src=\"https://embedr.flickr.com/assets/client-code.js\" charset=\"utf-8\"></script>",
+                  "<a href=\"https://www.flickr.com/photos/bees/2362225867/\" title=\"Bacon Lollys by \u202E\u202D\u202Cbees\u202C, on Flickr\"><img src=\"https://farm4.staticflickr.com/3040/2362225867_4a87ab8baf_b.jpg\" width=\"1024\" height=\"768\" alt=\"Bacon Lollys\"/></a>",
                 "license" => "All Rights Reserved",
                 "license_id" => 0,
                 "provider_name" => "Flickr",

From 26e64b4ba0d6f7599402e9c4af13e05647c5e9e4 Mon Sep 17 00:00:00 2001
From: Chizu <chizu@youjo.love>
Date: Fri, 9 Jun 2023 08:43:33 +0000
Subject: [PATCH 4/4] Update 'mix.exs'

---
 mix.exs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/mix.exs b/mix.exs
index 9153e8ba3..d16c45b74 100644
--- a/mix.exs
+++ b/mix.exs
@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
   def project do
     [
       app: :pleroma,
-      version: version("3.6.1"),
+      version: version("6.9.1"),
       elixir: "~> 1.12",
       elixirc_paths: elixirc_paths(Mix.env()),
       compilers: [:phoenix] ++ Mix.compilers(),
@@ -16,9 +16,9 @@ defmodule Pleroma.Mixfile do
       test_coverage: [tool: ExCoveralls],
       preferred_cli_env: ["coveralls.html": :test],
       # Docs
-      name: "AkkoUnfucked",
+      name: "incestoma",
       homepage_url: "https://git.youjo.love/",
-      source_url: "https://git.youjo.love/fox/youjo-be",
+      source_url: "https://git.youjo.love/youjo/youjo-be",
       docs: [
         source_url_pattern: "https://git.youjo.love/fox/youjo-be/blob/develop/%{path}#L%{line}",
         logo: "priv/static/images/logo.png",