From 1cfc061f752455a9c58796197da59032dc92f809 Mon Sep 17 00:00:00 2001
From: Donald Hutchison <donald.hutchison@clabs.co>
Date: Wed, 14 Feb 2024 11:23:01 +0100
Subject: [PATCH 1/6] Remove trellis.

---
 apps/block_scout_web/config/navigation.exs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/apps/block_scout_web/config/navigation.exs b/apps/block_scout_web/config/navigation.exs
index ed151374884f..d8940b1cabc4 100644
--- a/apps/block_scout_web/config/navigation.exs
+++ b/apps/block_scout_web/config/navigation.exs
@@ -33,8 +33,7 @@ config :block_scout_web,
     %{title: "ChiSpend", url: "https://chispend.com/"}
   ],
   finance_tools_list: [
-    %{title: "Celo Tracker", url: "https://celotracker.com/"},
-    %{title: "Trelis", url: "https://trelis.com/"}
+    %{title: "Celo Tracker", url: "https://celotracker.com/"}
   ],
   resources: [
     %{title: "Celo Vote", url: "https://celovote.com/"},

From 6fb1a2b97138594fd4ac34e9e8de19914e014dec Mon Sep 17 00:00:00 2001
From: Donald Hutchison <donald.hutchison@clabs.co>
Date: Tue, 29 Oct 2024 18:34:54 +0100
Subject: [PATCH 2/6] Failing test.

---
 .../tokens/instance/overview_view_test.exs      | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs b/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs
index 37d0417cf88c..d995753d0fbd 100644
--- a/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs
+++ b/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs
@@ -138,6 +138,23 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewViewTest do
       assert result == nil, "non http url schemes should be stripped from external_url and treated as missing"
     end
 
+    test "does not return html escape" do
+      json = """
+        {
+          "name": "CELO XSS",
+          "image": "https://0-a.nl/nft/nft.jpg",
+          "description": "CELO XSS",
+          "external_url": "https\" id=x tabindex=1 onfocusin=eval(atob('KGZ1bmN0aW9uKCl7d2luZG93LmV0aG'))"
+        }
+      """
+
+      data = Jason.decode!(json)
+
+      result = OverviewView.external_url(%{metadata: data})
+
+      assert result == nil, "non http url schemes should be stripped from external_url and treated as missing"
+    end
+
     test "Returns valid uri scheme" do
       json = """
         {

From aa559a3f687e2d83345195913f8332f1ecf978bc Mon Sep 17 00:00:00 2001
From: Donald Hutchison <donald.hutchison@clabs.co>
Date: Tue, 29 Oct 2024 18:41:55 +0100
Subject: [PATCH 3/6] Return nil unless santitised string matches original.

---
 .../views/tokens/instance/overview_view.ex         |  9 ++++++++-
 .../views/tokens/instance/overview_view_test.exs   | 14 ++++----------
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex b/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex
index ba62117bd6a3..5639165441b7 100644
--- a/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex
+++ b/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex
@@ -102,7 +102,14 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewView do
 
   def external_url(nil), do: nil
 
-  def external_url("http" <> _rest = external_url), do: external_url
+  def external_url("http" <> _rest = external_url) do
+    sanitised = external_url |> html_escape() |> safe_to_string()
+    if sanitised != external_url do
+      nil
+    else
+      external_url
+    end
+  end
 
   def external_url(string) when is_binary(string), do: external_url(nil)
 
diff --git a/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs b/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs
index d995753d0fbd..6eea1bedb250 100644
--- a/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs
+++ b/apps/block_scout_web/test/block_scout_web/views/tokens/instance/overview_view_test.exs
@@ -139,16 +139,9 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewViewTest do
     end
 
     test "does not return html escape" do
-      json = """
-        {
-          "name": "CELO XSS",
-          "image": "https://0-a.nl/nft/nft.jpg",
-          "description": "CELO XSS",
-          "external_url": "https\" id=x tabindex=1 onfocusin=eval(atob('KGZ1bmN0aW9uKCl7d2luZG93LmV0aG'))"
-        }
-      """
-
-      data = Jason.decode!(json)
+      data = %{
+        "external_url" => "https\" id=x tabindex=1 onfocusin=eval(atob('KGZ1bmN0aW9uKCl7d2luZG93LmV0aG'))"
+      }
 
       result = OverviewView.external_url(%{metadata: data})
 
@@ -170,6 +163,7 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewViewTest do
       result = OverviewView.external_url(%{metadata: data})
 
       assert String.starts_with?(result, "http"), "Valid url should be returned"
+      assert result == "https://happyland.nft"
     end
   end
 end

From ed8180ea8dda37c43f0e3f3fae82e5abce6a03a0 Mon Sep 17 00:00:00 2001
From: Donald Hutchison <donald.hutchison@clabs.co>
Date: Tue, 29 Oct 2024 19:31:27 +0100
Subject: [PATCH 4/6] Format and translations.

---
 .../block_scout_web/views/tokens/instance/overview_view.ex    | 1 +
 apps/block_scout_web/priv/gettext/default.pot                 | 4 ++--
 apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po   | 4 ++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex b/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex
index 5639165441b7..8e001a354d6c 100644
--- a/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex
+++ b/apps/block_scout_web/lib/block_scout_web/views/tokens/instance/overview_view.ex
@@ -104,6 +104,7 @@ defmodule BlockScoutWeb.Tokens.Instance.OverviewView do
 
   def external_url("http" <> _rest = external_url) do
     sanitised = external_url |> html_escape() |> safe_to_string()
+
     if sanitised != external_url do
       nil
     else
diff --git a/apps/block_scout_web/priv/gettext/default.pot b/apps/block_scout_web/priv/gettext/default.pot
index 17147184ae74..12a6ffdb7ef7 100644
--- a/apps/block_scout_web/priv/gettext/default.pot
+++ b/apps/block_scout_web/priv/gettext/default.pot
@@ -1642,7 +1642,7 @@ msgstr ""
 
 #: lib/block_scout_web/templates/tokens/instance/metadata/index.html.eex:18
 #: lib/block_scout_web/templates/tokens/instance/overview/_tabs.html.eex:10
-#: lib/block_scout_web/views/tokens/instance/overview_view.ex:202
+#: lib/block_scout_web/views/tokens/instance/overview_view.ex:210
 #, elixir-autogen, elixir-format
 msgid "Metadata"
 msgstr ""
@@ -2659,7 +2659,7 @@ msgstr ""
 #: lib/block_scout_web/templates/transaction/_tabs.html.eex:4
 #: lib/block_scout_web/templates/transaction_token_transfer/index.html.eex:7
 #: lib/block_scout_web/views/address_view.ex:434
-#: lib/block_scout_web/views/tokens/instance/overview_view.ex:201
+#: lib/block_scout_web/views/tokens/instance/overview_view.ex:209
 #: lib/block_scout_web/views/tokens/overview_view.ex:39
 #: lib/block_scout_web/views/transaction_view.ex:535
 #, elixir-autogen, elixir-format
diff --git a/apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po b/apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po
index ff68e4e8908c..35f5084e8410 100644
--- a/apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po
+++ b/apps/block_scout_web/priv/gettext/en/LC_MESSAGES/default.po
@@ -1642,7 +1642,7 @@ msgstr ""
 
 #: lib/block_scout_web/templates/tokens/instance/metadata/index.html.eex:18
 #: lib/block_scout_web/templates/tokens/instance/overview/_tabs.html.eex:10
-#: lib/block_scout_web/views/tokens/instance/overview_view.ex:202
+#: lib/block_scout_web/views/tokens/instance/overview_view.ex:210
 #, elixir-autogen, elixir-format
 msgid "Metadata"
 msgstr ""
@@ -2659,7 +2659,7 @@ msgstr ""
 #: lib/block_scout_web/templates/transaction/_tabs.html.eex:4
 #: lib/block_scout_web/templates/transaction_token_transfer/index.html.eex:7
 #: lib/block_scout_web/views/address_view.ex:434
-#: lib/block_scout_web/views/tokens/instance/overview_view.ex:201
+#: lib/block_scout_web/views/tokens/instance/overview_view.ex:209
 #: lib/block_scout_web/views/tokens/overview_view.ex:39
 #: lib/block_scout_web/views/transaction_view.ex:535
 #, elixir-autogen, elixir-format

From 01e4e1e2b3d5da40beed9ada14f3e4e1e8e8969e Mon Sep 17 00:00:00 2001
From: Donald Hutchison <donald.hutchison@clabs.co>
Date: Tue, 29 Oct 2024 19:33:35 +0100
Subject: [PATCH 5/6] Yolo upload-artifact to v4 for github ci.

---
 .github/workflows/blockscout.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/blockscout.yml b/.github/workflows/blockscout.yml
index ff12358ccfab..9d482260b40f 100644
--- a/.github/workflows/blockscout.yml
+++ b/.github/workflows/blockscout.yml
@@ -300,7 +300,7 @@ jobs:
 
       - name: Upload Unit Test Results
         if: always()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: ESLint Test Results
           path: apps/block_scout_web/assets/test/eslint/*.xml
@@ -348,7 +348,7 @@ jobs:
 
       - name: Upload Unit Test Results
         if: always()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: Jest JUnit Test Results
           path: apps/block_scout_web/assets/junit.xml
@@ -417,7 +417,7 @@ jobs:
           ETHEREUM_JSONRPC_WEB_SOCKET_CASE: "EthereumJSONRPC.WebSocket.Case.Mox"
       - name: Upload Unit Test Results
         if: always()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: EthereumJSONRPC Test Results
           path: _build/test/junit/ethereum_jsonrpc/*.xml
@@ -506,7 +506,7 @@ jobs:
           ETHEREUM_JSONRPC_WEB_SOCKET_CASE: "EthereumJSONRPC.WebSocket.Case.Mox"
       - name: Upload Unit Test Results
         if: always()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: Explorer Test Results
           path: _build/test/junit/explorer/*.xml
@@ -578,7 +578,7 @@ jobs:
           ETHEREUM_JSONRPC_WEB_SOCKET_CASE: "EthereumJSONRPC.WebSocket.Case.Mox"
       - name: Upload Unit Test Results
         if: always()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: Indexer Test Results
           path: _build/test/junit/indexer/*.xml
@@ -687,14 +687,14 @@ jobs:
           API_V2_ENABLED: "true"
       - name: Upload Unit Test Results
         if: always()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: Blockscout Web Test Results
           path: _build/test/junit/block_scout_web/*.xml
 
       - name: Upload Wallaby screenshots
         if: always()
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: Wallaby screenshots
           path: apps/block_scout_web/screenshots/*.png

From 5c69c2a2e98fb24243536bf3bea72994ca289200 Mon Sep 17 00:00:00 2001
From: Donald Hutchison <donald.hutchison@clabs.co>
Date: Tue, 29 Oct 2024 20:01:25 +0100
Subject: [PATCH 6/6] Fix another outdated upload action.

---
 .github/workflows/blockscout.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/blockscout.yml b/.github/workflows/blockscout.yml
index 9d482260b40f..029e238f0d14 100644
--- a/.github/workflows/blockscout.yml
+++ b/.github/workflows/blockscout.yml
@@ -718,7 +718,7 @@ jobs:
           path: artifacts
 
       - name: Publish Unit Test Results
-        uses: EnricoMi/publish-unit-test-result-action@v1
+        uses: EnricoMi/publish-unit-test-result-action@v2
         with:
           files: artifacts/**/*.xml