fix: always consider report content as text
Report content was used as HTML in front-end and e-mails but wasn't sanitized as such. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
ded59bec27
commit
ffff379d47
|
@ -60,6 +60,7 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Flag do
|
|||
"actor" => Relay.get_actor().url,
|
||||
"id" => report.url,
|
||||
"content" => report.content,
|
||||
"mediaType" => "text/plain",
|
||||
"object" => object
|
||||
}
|
||||
end
|
||||
|
|
|
@ -192,7 +192,7 @@
|
|||
>
|
||||
<p style="margin: 0">
|
||||
<h3><%= gettext("Reasons for report") %></h3>
|
||||
<%= @report.content |> raw %>
|
||||
<%= @report.content %>
|
||||
</p>
|
||||
<table
|
||||
cellspacing="0"
|
||||
|
|
|
@ -63,7 +63,9 @@
|
|||
{{ t("Reported by an unknown actor") }}
|
||||
</span>
|
||||
</div>
|
||||
<div class="" v-if="report.content" v-html="report.content" />
|
||||
<div class="line-clamp-1" v-if="report.content">
|
||||
{{ report.content }}
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</template>
|
||||
|
|
|
@ -216,11 +216,9 @@
|
|||
</div>
|
||||
<p v-else>{{ t("Unknown actor") }}</p>
|
||||
</div>
|
||||
<div
|
||||
class="prose dark:prose-invert"
|
||||
v-if="report.content"
|
||||
v-html="nl2br(report.content)"
|
||||
/>
|
||||
<div class="prose dark:prose-invert" v-if="report.content">
|
||||
{{ report.content }}
|
||||
</div>
|
||||
<p v-else>{{ t("No comment") }}</p>
|
||||
</div>
|
||||
</section>
|
||||
|
@ -407,7 +405,6 @@ import {
|
|||
} from "@/types/actor";
|
||||
import { DELETE_EVENT } from "@/graphql/event";
|
||||
import uniq from "lodash/uniq";
|
||||
import { nl2br } from "@/utils/html";
|
||||
import { DELETE_COMMENT } from "@/graphql/comment";
|
||||
import { IComment } from "@/types/comment.model";
|
||||
import { ActorType, AntiSpamFeedback, ReportStatusEnum } from "@/types/enums";
|
||||
|
|
41
test/federation/activity_pub/types/reports_test.exs
Normal file
41
test/federation/activity_pub/types/reports_test.exs
Normal file
|
@ -0,0 +1,41 @@
|
|||
defmodule Mobilizon.Federation.ActivityPub.Types.ReportsTest do
|
||||
use Mobilizon.DataCase
|
||||
|
||||
import Mobilizon.Factory
|
||||
|
||||
alias Mobilizon.Actors.Actor
|
||||
alias Mobilizon.Federation.ActivityPub.Types.Reports
|
||||
alias Mobilizon.Reports.Report
|
||||
|
||||
describe "report creation" do
|
||||
test "with XSS" do
|
||||
%Actor{id: reporter_id} = insert(:actor)
|
||||
%Actor{id: reported_id} = insert(:actor)
|
||||
|
||||
content =
|
||||
"hello <meta http-equiv=\"refresh\" content=\"0; url=http://example.com/\" />"
|
||||
|
||||
assert {:ok, %Report{content: saved_content}, _} =
|
||||
Reports.flag(%{
|
||||
reporter_id: reporter_id,
|
||||
reported_id: reported_id,
|
||||
content: content
|
||||
})
|
||||
|
||||
assert saved_content == "hello "
|
||||
|
||||
content =
|
||||
"<<img src=''/>meta http-equiv=\"refresh\" content=\"0; url=http://example.com/\" />"
|
||||
|
||||
assert {:ok, %Report{content: saved_content}, _} =
|
||||
Reports.flag(%{
|
||||
reporter_id: reporter_id,
|
||||
reported_id: reported_id,
|
||||
content: content
|
||||
})
|
||||
|
||||
assert saved_content ==
|
||||
"<meta http-equiv=\"refresh\" content=\"0; url=http://example.com/\" />"
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in a new issue