diff --git a/lib/federation/activity_stream/converter/flag.ex b/lib/federation/activity_stream/converter/flag.ex index 347ee8d00..1d4944524 100644 --- a/lib/federation/activity_stream/converter/flag.ex +++ b/lib/federation/activity_stream/converter/flag.ex @@ -60,6 +60,7 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Flag do "actor" => Relay.get_actor().url, "id" => report.url, "content" => report.content, + "mediaType" => "text/plain", "object" => object } end diff --git a/lib/web/templates/email/report.html.heex b/lib/web/templates/email/report.html.heex index 0a8ad5bbe..002e81ac5 100644 --- a/lib/web/templates/email/report.html.heex +++ b/lib/web/templates/email/report.html.heex @@ -192,7 +192,7 @@ >

<%= gettext("Reasons for report") %>

- <%= @report.content |> raw %> + <%= @report.content %>

-
+
+ {{ report.content }} +
diff --git a/src/views/Moderation/ReportView.vue b/src/views/Moderation/ReportView.vue index 615c50686..0574dcf0a 100644 --- a/src/views/Moderation/ReportView.vue +++ b/src/views/Moderation/ReportView.vue @@ -216,11 +216,9 @@

{{ t("Unknown actor") }}

-
+
+ {{ report.content }} +

{{ t("No comment") }}

@@ -407,7 +405,6 @@ import { } from "@/types/actor"; import { DELETE_EVENT } from "@/graphql/event"; import uniq from "lodash/uniq"; -import { nl2br } from "@/utils/html"; import { DELETE_COMMENT } from "@/graphql/comment"; import { IComment } from "@/types/comment.model"; import { ActorType, AntiSpamFeedback, ReportStatusEnum } from "@/types/enums"; diff --git a/test/federation/activity_pub/types/reports_test.exs b/test/federation/activity_pub/types/reports_test.exs new file mode 100644 index 000000000..8c17fe731 --- /dev/null +++ b/test/federation/activity_pub/types/reports_test.exs @@ -0,0 +1,41 @@ +defmodule Mobilizon.Federation.ActivityPub.Types.ReportsTest do + use Mobilizon.DataCase + + import Mobilizon.Factory + + alias Mobilizon.Actors.Actor + alias Mobilizon.Federation.ActivityPub.Types.Reports + alias Mobilizon.Reports.Report + + describe "report creation" do + test "with XSS" do + %Actor{id: reporter_id} = insert(:actor) + %Actor{id: reported_id} = insert(:actor) + + content = + "hello " + + assert {:ok, %Report{content: saved_content}, _} = + Reports.flag(%{ + reporter_id: reporter_id, + reported_id: reported_id, + content: content + }) + + assert saved_content == "hello " + + content = + "<meta http-equiv=\"refresh\" content=\"0; url=http://example.com/\" />" + + assert {:ok, %Report{content: saved_content}, _} = + Reports.flag(%{ + reporter_id: reporter_id, + reported_id: reported_id, + content: content + }) + + assert saved_content == + "" + end + end +end