Merge branch 'fix/sanitize-report-content' into 'develop'
Sanitize HTML in ReportView Closes #990 See merge request pleroma/pleroma!1293
This commit is contained in:
commit
c34327b22e
2 changed files with 107 additions and 1 deletions
|
@ -5,6 +5,7 @@
|
||||||
defmodule Pleroma.Web.AdminAPI.ReportView do
|
defmodule Pleroma.Web.AdminAPI.ReportView do
|
||||||
use Pleroma.Web, :view
|
use Pleroma.Web, :view
|
||||||
alias Pleroma.Activity
|
alias Pleroma.Activity
|
||||||
|
alias Pleroma.HTML
|
||||||
alias Pleroma.User
|
alias Pleroma.User
|
||||||
alias Pleroma.Web.CommonAPI.Utils
|
alias Pleroma.Web.CommonAPI.Utils
|
||||||
alias Pleroma.Web.MastodonAPI.AccountView
|
alias Pleroma.Web.MastodonAPI.AccountView
|
||||||
|
@ -23,6 +24,13 @@ defmodule Pleroma.Web.AdminAPI.ReportView do
|
||||||
[account_ap_id | status_ap_ids] = report.data["object"]
|
[account_ap_id | status_ap_ids] = report.data["object"]
|
||||||
account = User.get_cached_by_ap_id(account_ap_id)
|
account = User.get_cached_by_ap_id(account_ap_id)
|
||||||
|
|
||||||
|
content =
|
||||||
|
unless is_nil(report.data["content"]) do
|
||||||
|
HTML.filter_tags(report.data["content"])
|
||||||
|
else
|
||||||
|
nil
|
||||||
|
end
|
||||||
|
|
||||||
statuses =
|
statuses =
|
||||||
Enum.map(status_ap_ids, fn ap_id ->
|
Enum.map(status_ap_ids, fn ap_id ->
|
||||||
Activity.get_by_ap_id_with_object(ap_id)
|
Activity.get_by_ap_id_with_object(ap_id)
|
||||||
|
@ -32,7 +40,7 @@ defmodule Pleroma.Web.AdminAPI.ReportView do
|
||||||
id: report.id,
|
id: report.id,
|
||||||
account: AccountView.render("account.json", %{user: account}),
|
account: AccountView.render("account.json", %{user: account}),
|
||||||
actor: AccountView.render("account.json", %{user: user}),
|
actor: AccountView.render("account.json", %{user: user}),
|
||||||
content: report.data["content"],
|
content: content,
|
||||||
created_at: created_at,
|
created_at: created_at,
|
||||||
statuses: StatusView.render("index.json", %{activities: statuses, as: :activity}),
|
statuses: StatusView.render("index.json", %{activities: statuses, as: :activity}),
|
||||||
state: report.data["state"]
|
state: report.data["state"]
|
||||||
|
|
98
test/web/admin_api/views/report_view_test.exs
Normal file
98
test/web/admin_api/views/report_view_test.exs
Normal file
|
@ -0,0 +1,98 @@
|
||||||
|
# Pleroma: A lightweight social networking server
|
||||||
|
# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
|
||||||
|
# SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
|
||||||
|
defmodule Pleroma.Web.AdminAPI.ReportViewTest do
|
||||||
|
use Pleroma.DataCase
|
||||||
|
import Pleroma.Factory
|
||||||
|
alias Pleroma.Web.AdminAPI.ReportView
|
||||||
|
alias Pleroma.Web.CommonAPI
|
||||||
|
alias Pleroma.Web.MastodonAPI.AccountView
|
||||||
|
alias Pleroma.Web.MastodonAPI.StatusView
|
||||||
|
|
||||||
|
test "renders a report" do
|
||||||
|
user = insert(:user)
|
||||||
|
other_user = insert(:user)
|
||||||
|
|
||||||
|
{:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id})
|
||||||
|
|
||||||
|
expected = %{
|
||||||
|
content: nil,
|
||||||
|
actor: AccountView.render("account.json", %{user: user}),
|
||||||
|
account: AccountView.render("account.json", %{user: other_user}),
|
||||||
|
statuses: [],
|
||||||
|
state: "open",
|
||||||
|
id: activity.id
|
||||||
|
}
|
||||||
|
|
||||||
|
result =
|
||||||
|
ReportView.render("show.json", %{report: activity})
|
||||||
|
|> Map.delete(:created_at)
|
||||||
|
|
||||||
|
assert result == expected
|
||||||
|
end
|
||||||
|
|
||||||
|
test "includes reported statuses" do
|
||||||
|
user = insert(:user)
|
||||||
|
other_user = insert(:user)
|
||||||
|
{:ok, activity} = CommonAPI.post(other_user, %{"status" => "toot"})
|
||||||
|
|
||||||
|
{:ok, report_activity} =
|
||||||
|
CommonAPI.report(user, %{"account_id" => other_user.id, "status_ids" => [activity.id]})
|
||||||
|
|
||||||
|
expected = %{
|
||||||
|
content: nil,
|
||||||
|
actor: AccountView.render("account.json", %{user: user}),
|
||||||
|
account: AccountView.render("account.json", %{user: other_user}),
|
||||||
|
statuses: [StatusView.render("status.json", %{activity: activity})],
|
||||||
|
state: "open",
|
||||||
|
id: report_activity.id
|
||||||
|
}
|
||||||
|
|
||||||
|
result =
|
||||||
|
ReportView.render("show.json", %{report: report_activity})
|
||||||
|
|> Map.delete(:created_at)
|
||||||
|
|
||||||
|
assert result == expected
|
||||||
|
end
|
||||||
|
|
||||||
|
test "renders report's state" do
|
||||||
|
user = insert(:user)
|
||||||
|
other_user = insert(:user)
|
||||||
|
|
||||||
|
{:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id})
|
||||||
|
{:ok, activity} = CommonAPI.update_report_state(activity.id, "closed")
|
||||||
|
assert %{state: "closed"} = ReportView.render("show.json", %{report: activity})
|
||||||
|
end
|
||||||
|
|
||||||
|
test "renders report description" do
|
||||||
|
user = insert(:user)
|
||||||
|
other_user = insert(:user)
|
||||||
|
|
||||||
|
{:ok, activity} =
|
||||||
|
CommonAPI.report(user, %{
|
||||||
|
"account_id" => other_user.id,
|
||||||
|
"comment" => "posts are too good for this instance"
|
||||||
|
})
|
||||||
|
|
||||||
|
assert %{content: "posts are too good for this instance"} =
|
||||||
|
ReportView.render("show.json", %{report: activity})
|
||||||
|
end
|
||||||
|
|
||||||
|
test "sanitizes report description" do
|
||||||
|
user = insert(:user)
|
||||||
|
other_user = insert(:user)
|
||||||
|
|
||||||
|
{:ok, activity} =
|
||||||
|
CommonAPI.report(user, %{
|
||||||
|
"account_id" => other_user.id,
|
||||||
|
"comment" => ""
|
||||||
|
})
|
||||||
|
|
||||||
|
data = Map.put(activity.data, "content", "<script> alert('hecked :D:D:D:D:D:D:D') </script>")
|
||||||
|
activity = Map.put(activity, :data, data)
|
||||||
|
|
||||||
|
refute "<script> alert('hecked :D:D:D:D:D:D:D') </script>" ==
|
||||||
|
ReportView.render("show.json", %{report: activity})[:content]
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in a new issue