forked from potsda.mn/mobilizon
Merge branch 'bug/fix-XSS-on-event-title' into 'master'
Make sure title is properly sanitized Closes #247 See merge request framasoft/mobilizon!281
This commit is contained in:
Thomas Citharel
commit
4dcbf85d9a
|
|
@ -73,7 +73,7 @@ defmodule MobilizonWeb.API.Events do
|
||||||
|
|
||||||
defp prepare_args(args) do
|
defp prepare_args(args) do
|
||||||
with %Actor{} = organizer_actor <- Map.get(args, :organizer_actor),
|
with %Actor{} = organizer_actor <- Map.get(args, :organizer_actor),
|
||||||
title <- args |> Map.get(:title, "") |> String.trim(),
|
title <- args |> Map.get(:title, "") |> HtmlSanitizeEx.strip_tags() |> String.trim(),
|
||||||
visibility <- Map.get(args, :visibility, :public),
|
visibility <- Map.get(args, :visibility, :public),
|
||||||
description <- Map.get(args, :description),
|
description <- Map.get(args, :description),
|
||||||
tags <- Map.get(args, :tags),
|
tags <- Map.get(args, :tags),
|
||||||
|
|
|
||||||
|
|
@ -119,6 +119,48 @@ defmodule MobilizonWeb.Resolvers.EventResolverTest do
|
||||||
assert json_response(res, 200)["data"]["createEvent"]["title"] == "come to my event"
|
assert json_response(res, 200)["data"]["createEvent"]["title"] == "come to my event"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "create_event/3 creates an event and escapes title and description", %{
|
||||||
|
conn: conn,
|
||||||
|
actor: actor,
|
||||||
|
user: user
|
||||||
|
} do
|
||||||
|
mutation = """
|
||||||
|
mutation createEvent($title: String!, $description: String, $begins_on: DateTime, $organizer_actor_id: ID!) {
|
||||||
|
createEvent(
|
||||||
|
title: $title,
|
||||||
|
description: $description,
|
||||||
|
begins_on: $begins_on,
|
||||||
|
organizer_actor_id: $organizer_actor_id
|
||||||
|
) {
|
||||||
|
title,
|
||||||
|
description,
|
||||||
|
uuid
|
||||||
|
}
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
|
||||||
|
res =
|
||||||
|
conn
|
||||||
|
|> auth_conn(user)
|
||||||
|
|> AbsintheHelpers.graphql_query(
|
||||||
|
query: mutation,
|
||||||
|
variables: %{
|
||||||
|
title:
|
||||||
|
"My Event title <img src=\"http://placekitten.com/g/200/300\" onclick=\"alert('aaa')\" >",
|
||||||
|
description:
|
||||||
|
"<b>My description</b> <img src=\"http://placekitten.com/g/200/300\" onclick=\"alert('aaa')\" >",
|
||||||
|
begins_on: DateTime.utc_now() |> DateTime.truncate(:second) |> DateTime.to_iso8601(),
|
||||||
|
organizer_actor_id: "#{actor.id}"
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
assert res["errors"] == nil
|
||||||
|
assert res["data"]["createEvent"]["title"] == "My Event title"
|
||||||
|
|
||||||
|
assert res["data"]["createEvent"]["description"] ==
|
||||||
|
"<b>My description</b> <img src=\"http://placekitten.com/g/200/300\" />"
|
||||||
|
end
|
||||||
|
|
||||||
test "create_event/3 creates an event as a draft", %{conn: conn, actor: actor, user: user} do
|
test "create_event/3 creates an event as a draft", %{conn: conn, actor: actor, user: user} do
|
||||||
mutation = """
|
mutation = """
|
||||||
mutation {
|
mutation {
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,7 @@
|
||||||
defmodule MobilizonWeb.AbsintheHelpers do
|
defmodule MobilizonWeb.AbsintheHelpers do
|
||||||
|
use Phoenix.ConnTest
|
||||||
|
@endpoint MobilizonWeb.Endpoint
|
||||||
|
|
||||||
@moduledoc """
|
@moduledoc """
|
||||||
Absinthe helpers for tests
|
Absinthe helpers for tests
|
||||||
"""
|
"""
|
||||||
|
|
@ -17,4 +20,20 @@ defmodule MobilizonWeb.AbsintheHelpers do
|
||||||
"variables" => ""
|
"variables" => ""
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def graphql_query(conn, options) do
|
||||||
|
conn
|
||||||
|
|> post(
|
||||||
|
"/api",
|
||||||
|
build_query(options[:query], options[:variables])
|
||||||
|
)
|
||||||
|
|> json_response(200)
|
||||||
|
end
|
||||||
|
|
||||||
|
defp build_query(query, variables) do
|
||||||
|
%{
|
||||||
|
"query" => query,
|
||||||
|
"variables" => variables
|
||||||
|
}
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue