logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma
commit: c34327b22e6e01e9e162ec93217f8ce2352204ac
parent: efa445a75b242787a30ffbc2eb16bd165260f66c
Author: Haelwenn <contact+git.pleroma.social@hacktivis.me>
Date:   Sun, 16 Jun 2019 18:05:00 +0000

Merge branch 'fix/sanitize-report-content' into 'develop'

Sanitize HTML in ReportView

Closes #990

See merge request pleroma/pleroma!1293

Diffstat:

Mlib/pleroma/web/admin_api/views/report_view.ex10+++++++++-
Atest/web/admin_api/views/report_view_test.exs98+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 107 insertions(+), 1 deletion(-)

diff --git a/lib/pleroma/web/admin_api/views/report_view.ex b/lib/pleroma/web/admin_api/views/report_view.ex @@ -5,6 +5,7 @@ defmodule Pleroma.Web.AdminAPI.ReportView do use Pleroma.Web, :view alias Pleroma.Activity + alias Pleroma.HTML alias Pleroma.User alias Pleroma.Web.CommonAPI.Utils alias Pleroma.Web.MastodonAPI.AccountView @@ -23,6 +24,13 @@ defmodule Pleroma.Web.AdminAPI.ReportView do [account_ap_id | status_ap_ids] = report.data["object"] account = User.get_cached_by_ap_id(account_ap_id) + content = + unless is_nil(report.data["content"]) do + HTML.filter_tags(report.data["content"]) + else + nil + end + statuses = Enum.map(status_ap_ids, fn ap_id -> Activity.get_by_ap_id_with_object(ap_id) @@ -32,7 +40,7 @@ defmodule Pleroma.Web.AdminAPI.ReportView do id: report.id, account: AccountView.render("account.json", %{user: account}), actor: AccountView.render("account.json", %{user: user}), - content: report.data["content"], + content: content, created_at: created_at, statuses: StatusView.render("index.json", %{activities: statuses, as: :activity}), state: report.data["state"] diff --git a/test/web/admin_api/views/report_view_test.exs b/test/web/admin_api/views/report_view_test.exs @@ -0,0 +1,98 @@ +# Pleroma: A lightweight social networking server +# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/> +# SPDX-License-Identifier: AGPL-3.0-only + +defmodule Pleroma.Web.AdminAPI.ReportViewTest do + use Pleroma.DataCase + import Pleroma.Factory + alias Pleroma.Web.AdminAPI.ReportView + alias Pleroma.Web.CommonAPI + alias Pleroma.Web.MastodonAPI.AccountView + alias Pleroma.Web.MastodonAPI.StatusView + + test "renders a report" do + user = insert(:user) + other_user = insert(:user) + + {:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id}) + + expected = %{ + content: nil, + actor: AccountView.render("account.json", %{user: user}), + account: AccountView.render("account.json", %{user: other_user}), + statuses: [], + state: "open", + id: activity.id + } + + result = + ReportView.render("show.json", %{report: activity}) + |> Map.delete(:created_at) + + assert result == expected + end + + test "includes reported statuses" do + user = insert(:user) + other_user = insert(:user) + {:ok, activity} = CommonAPI.post(other_user, %{"status" => "toot"}) + + {:ok, report_activity} = + CommonAPI.report(user, %{"account_id" => other_user.id, "status_ids" => [activity.id]}) + + expected = %{ + content: nil, + actor: AccountView.render("account.json", %{user: user}), + account: AccountView.render("account.json", %{user: other_user}), + statuses: [StatusView.render("status.json", %{activity: activity})], + state: "open", + id: report_activity.id + } + + result = + ReportView.render("show.json", %{report: report_activity}) + |> Map.delete(:created_at) + + assert result == expected + end + + test "renders report's state" do + user = insert(:user) + other_user = insert(:user) + + {:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id}) + {:ok, activity} = CommonAPI.update_report_state(activity.id, "closed") + assert %{state: "closed"} = ReportView.render("show.json", %{report: activity}) + end + + test "renders report description" do + user = insert(:user) + other_user = insert(:user) + + {:ok, activity} = + CommonAPI.report(user, %{ + "account_id" => other_user.id, + "comment" => "posts are too good for this instance" + }) + + assert %{content: "posts are too good for this instance"} = + ReportView.render("show.json", %{report: activity}) + end + + test "sanitizes report description" do + user = insert(:user) + other_user = insert(:user) + + {:ok, activity} = + CommonAPI.report(user, %{ + "account_id" => other_user.id, + "comment" => "" + }) + + data = Map.put(activity.data, "content", "<script> alert('hecked :D:D:D:D:D:D:D') </script>") + activity = Map.put(activity, :data, data) + + refute "<script> alert('hecked :D:D:D:D:D:D:D') </script>" == + ReportView.render("show.json", %{report: activity})[:content] + end +end