From f2bf756422d2d1c5ac6e81f3f050977c9dda481a Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Mon, 24 Jul 2017 19:54:01 -0500
Subject: [PATCH 1/2] Fix hidden attribute leaks in data attributes (#3237).

---
 app/presenters/post_presenter.rb | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/app/presenters/post_presenter.rb b/app/presenters/post_presenter.rb
index 5c3b8c347..3d8b6d9fb 100644
--- a/app/presenters/post_presenter.rb
+++ b/app/presenters/post_presenter.rb
@@ -66,7 +66,7 @@ class PostPresenter < Presenter
   end
 
   def self.data_attributes(post)
-    %{
+    attributes = %{
       data-id="#{post.id}"
       data-has-sound="#{post.has_tag?('video_with_sound|flash_with_sound')}"
       data-tags="#{h(post.tag_string)}"
@@ -83,15 +83,22 @@ class PostPresenter < Presenter
       data-views="#{post.view_count}"
       data-fav-count="#{post.fav_count}"
       data-pixiv-id="#{post.pixiv_id}"
-      data-md5="#{post.md5}"
       data-file-ext="#{post.file_ext}"
-      data-file-url="#{post.file_url}"
-      data-large-file-url="#{post.large_file_url}"
-      data-preview-file-url="#{post.preview_file_url}"
       data-source="#{h(post.source)}"
       data-normalized-source="#{h(post.normalized_source)}"
       data-is-favorited="#{post.favorited_by?(CurrentUser.user.id)}"
-    }.html_safe
+    }
+
+    if post.visible?
+      attributes += %{
+        data-md5="#{post.md5}"
+        data-file-url="#{post.file_url}"
+        data-large-file-url="#{post.large_file_url}"
+        data-preview-file-url="#{post.preview_file_url}"
+      }
+    end
+
+    attributes.html_safe
   end
 
   def initialize(post)

From 67528ce5ab91da5541cd2cb044858a274345293f Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Mon, 24 Jul 2017 20:33:06 -0500
Subject: [PATCH 2/2] Fix hidden attribute leaks in legacy post controller
 (#3237).

---
 app/controllers/legacy_controller.rb | 14 +++++++++++++-
 app/models/post.rb                   |  4 ++--
 app/views/legacy/posts.json.erb      |  1 -
 app/views/legacy/posts.xml.erb       |  6 ------
 4 files changed, 15 insertions(+), 10 deletions(-)
 delete mode 100644 app/views/legacy/posts.json.erb
 delete mode 100644 app/views/legacy/posts.xml.erb

diff --git a/app/controllers/legacy_controller.rb b/app/controllers/legacy_controller.rb
index 385080220..8a17ff46a 100644
--- a/app/controllers/legacy_controller.rb
+++ b/app/controllers/legacy_controller.rb
@@ -1,9 +1,21 @@
 class LegacyController < ApplicationController
   before_filter :member_only, :only => [:create_post]
+  respond_to :json, :xml
 
   def posts
     @post_set = PostSets::Post.new(tag_query, params[:page], params[:limit], format: "json")
-    @posts = @post_set.posts
+    @posts = @post_set.posts.map(&:legacy_attributes)
+
+    respond_with(@posts) do |format|
+      format.xml do
+        xml = Builder::XmlMarkup.new(indent: 2)
+        xml.instruct!
+        xml.posts do
+          @posts.each { |attrs| xml.post(attrs) }
+        end
+        render xml: xml.target!
+      end
+    end
   end
 
   def create_post
diff --git a/app/models/post.rb b/app/models/post.rb
index 34c769f39..0259afec8 100644
--- a/app/models/post.rb
+++ b/app/models/post.rb
@@ -1548,7 +1548,7 @@ class Post < ApplicationRecord
       super(options)
     end
 
-    def to_legacy_json
+    def legacy_attributes
       hash = {
         "has_comments" => last_commented_at.present?,
         "parent_id" => parent_id,
@@ -1574,7 +1574,7 @@ class Post < ApplicationRecord
         hash["md5"] = md5
       end
 
-      hash.to_json
+      hash
     end
 
     def status
diff --git a/app/views/legacy/posts.json.erb b/app/views/legacy/posts.json.erb
deleted file mode 100644
index 182aacf3d..000000000
--- a/app/views/legacy/posts.json.erb
+++ /dev/null
@@ -1 +0,0 @@
-[<%= @posts.map {|x| x.to_legacy_json}.join(", ").html_safe %>]
diff --git a/app/views/legacy/posts.xml.erb b/app/views/legacy/posts.xml.erb
deleted file mode 100644
index 2a5d2a223..000000000
--- a/app/views/legacy/posts.xml.erb
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<posts>
-  <% @posts.each do |post| %>
-	  <post preview_url="<%= post.preview_file_url %>" file_size="<%= post.file_size %>" status="<%= post.status %>" score="<%= post.score %>" file_url="<%= post.file_url %>" height="<%= post.image_height %>" has_comments="<%= post.last_commented_at.present? %>" tags="<%= post.tag_string %>" source="<%= post.source %>" parent_id="<%= post.parent_id %>" created_at="<%= post.created_at.to_formatted_s(:db) %>" rating="<%= post.rating %>" has_notes="<%= post.last_noted_at.present? %>" id="<%= post.id %>" md5="<%= post.md5 %>" has_children="<%= post.has_children? %>" creator_id="<%= post.uploader_id %>" author="<%= post.uploader_name %>" width="<%= post.image_width %>"/>
-	<% end %>
-</posts>