Browse Source
Merge branch 'fix/sanitize-report-content' into 'develop'
Sanitize HTML in ReportView Closes #990 See merge request pleroma/pleroma!1293tags/v1.1.4
Haelwenn
5 years ago
2 changed files with 107 additions and 1 deletions
Split View
Diff Options
-
+9 -1lib/pleroma/web/admin_api/views/report_view.ex
-
+98 -0test/web/admin_api/views/report_view_test.exs
+ 9
- 1
lib/pleroma/web/admin_api/views/report_view.ex
View File
| @@ -5,6 +5,7 @@ | |||
| defmodule Pleroma.Web.AdminAPI.ReportView do | |||
| use Pleroma.Web, :view | |||
| alias Pleroma.Activity | |||
| alias Pleroma.HTML | |||
| alias Pleroma.User | |||
| alias Pleroma.Web.CommonAPI.Utils | |||
| alias Pleroma.Web.MastodonAPI.AccountView | |||
| @@ -23,6 +24,13 @@ defmodule Pleroma.Web.AdminAPI.ReportView do | |||
| [account_ap_id | status_ap_ids] = report.data["object"] | |||
| account = User.get_cached_by_ap_id(account_ap_id) | |||
| content = | |||
| unless is_nil(report.data["content"]) do | |||
| HTML.filter_tags(report.data["content"]) | |||
| else | |||
| nil | |||
| end | |||
| statuses = | |||
| Enum.map(status_ap_ids, fn ap_id -> | |||
| Activity.get_by_ap_id_with_object(ap_id) | |||
| @@ -32,7 +40,7 @@ defmodule Pleroma.Web.AdminAPI.ReportView do | |||
| id: report.id, | |||
| account: AccountView.render("account.json", %{user: account}), | |||
| actor: AccountView.render("account.json", %{user: user}), | |||
| content: report.data["content"], | |||
| content: content, | |||
| created_at: created_at, | |||
| statuses: StatusView.render("index.json", %{activities: statuses, as: :activity}), | |||
| state: report.data["state"] | |||
+ 98
- 0
test/web/admin_api/views/report_view_test.exs
View File
| @@ -0,0 +1,98 @@ | |||
| # Pleroma: A lightweight social networking server | |||
| # Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/> | |||
| # SPDX-License-Identifier: AGPL-3.0-only | |||
| defmodule Pleroma.Web.AdminAPI.ReportViewTest do | |||
| use Pleroma.DataCase | |||
| import Pleroma.Factory | |||
| alias Pleroma.Web.AdminAPI.ReportView | |||
| alias Pleroma.Web.CommonAPI | |||
| alias Pleroma.Web.MastodonAPI.AccountView | |||
| alias Pleroma.Web.MastodonAPI.StatusView | |||
| test "renders a report" do | |||
| user = insert(:user) | |||
| other_user = insert(:user) | |||
| {:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id}) | |||
| expected = %{ | |||
| content: nil, | |||
| actor: AccountView.render("account.json", %{user: user}), | |||
| account: AccountView.render("account.json", %{user: other_user}), | |||
| statuses: [], | |||
| state: "open", | |||
| id: activity.id | |||
| } | |||
| result = | |||
| ReportView.render("show.json", %{report: activity}) | |||
| |> Map.delete(:created_at) | |||
| assert result == expected | |||
| end | |||
| test "includes reported statuses" do | |||
| user = insert(:user) | |||
| other_user = insert(:user) | |||
| {:ok, activity} = CommonAPI.post(other_user, %{"status" => "toot"}) | |||
| {:ok, report_activity} = | |||
| CommonAPI.report(user, %{"account_id" => other_user.id, "status_ids" => [activity.id]}) | |||
| expected = %{ | |||
| content: nil, | |||
| actor: AccountView.render("account.json", %{user: user}), | |||
| account: AccountView.render("account.json", %{user: other_user}), | |||
| statuses: [StatusView.render("status.json", %{activity: activity})], | |||
| state: "open", | |||
| id: report_activity.id | |||
| } | |||
| result = | |||
| ReportView.render("show.json", %{report: report_activity}) | |||
| |> Map.delete(:created_at) | |||
| assert result == expected | |||
| end | |||
| test "renders report's state" do | |||
| user = insert(:user) | |||
| other_user = insert(:user) | |||
| {:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id}) | |||
| {:ok, activity} = CommonAPI.update_report_state(activity.id, "closed") | |||
| assert %{state: "closed"} = ReportView.render("show.json", %{report: activity}) | |||
| end | |||
| test "renders report description" do | |||
| user = insert(:user) | |||
| other_user = insert(:user) | |||
| {:ok, activity} = | |||
| CommonAPI.report(user, %{ | |||
| "account_id" => other_user.id, | |||
| "comment" => "posts are too good for this instance" | |||
| }) | |||
| assert %{content: "posts are too good for this instance"} = | |||
| ReportView.render("show.json", %{report: activity}) | |||
| end | |||
| test "sanitizes report description" do | |||
| user = insert(:user) | |||
| other_user = insert(:user) | |||
| {:ok, activity} = | |||
| CommonAPI.report(user, %{ | |||
| "account_id" => other_user.id, | |||
| "comment" => "" | |||
| }) | |||
| data = Map.put(activity.data, "content", "<script> alert('hecked :D:D:D:D:D:D:D') </script>") | |||
| activity = Map.put(activity, :data, data) | |||
| refute "<script> alert('hecked :D:D:D:D:D:D:D') </script>" == | |||
| ReportView.render("show.json", %{report: activity})[:content] | |||
| end | |||
| end | |||