From ffff379d47cd75f63de217a4d7fb93e6d6ecbe73 Mon Sep 17 00:00:00 2001
From: Thomas Citharel <tcit@tcit.fr>
Date: Wed, 6 Dec 2023 11:05:56 +0100
Subject: [PATCH] fix: always consider report content as text

Report content was used as HTML in front-end and e-mails but wasn't sanitized as such.

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
---
 .../activity_stream/converter/flag.ex         |  1 +
 lib/web/templates/email/report.html.heex      |  2 +-
 src/components/Report/ReportCard.vue          |  4 +-
 src/views/Moderation/ReportView.vue           |  9 ++--
 .../activity_pub/types/reports_test.exs       | 41 +++++++++++++++++++
 5 files changed, 49 insertions(+), 8 deletions(-)
 create mode 100644 test/federation/activity_pub/types/reports_test.exs

diff --git a/lib/federation/activity_stream/converter/flag.ex b/lib/federation/activity_stream/converter/flag.ex
index 347ee8d00..1d4944524 100644
--- a/lib/federation/activity_stream/converter/flag.ex
+++ b/lib/federation/activity_stream/converter/flag.ex
@@ -60,6 +60,7 @@ defmodule Mobilizon.Federation.ActivityStream.Converter.Flag do
       "actor" => Relay.get_actor().url,
       "id" => report.url,
       "content" => report.content,
+      "mediaType" => "text/plain",
       "object" => object
     }
   end
diff --git a/lib/web/templates/email/report.html.heex b/lib/web/templates/email/report.html.heex
index 0a8ad5bbe..002e81ac5 100644
--- a/lib/web/templates/email/report.html.heex
+++ b/lib/web/templates/email/report.html.heex
@@ -192,7 +192,7 @@
           >
             <p style="margin: 0">
               <h3><%= gettext("Reasons for report") %></h3>
-              <%= @report.content |> raw %>
+              <%= @report.content %>
             </p>
             <table
               cellspacing="0"
diff --git a/src/components/Report/ReportCard.vue b/src/components/Report/ReportCard.vue
index 4166acd6f..56b99b87b 100644
--- a/src/components/Report/ReportCard.vue
+++ b/src/components/Report/ReportCard.vue
@@ -63,7 +63,9 @@
           {{ t("Reported by an unknown actor") }}
         </span>
       </div>
-      <div class="" v-if="report.content" v-html="report.content" />
+      <div class="line-clamp-1" v-if="report.content">
+        {{ report.content }}
+      </div>
     </div>
   </div>
 </template>
diff --git a/src/views/Moderation/ReportView.vue b/src/views/Moderation/ReportView.vue
index 615c50686..0574dcf0a 100644
--- a/src/views/Moderation/ReportView.vue
+++ b/src/views/Moderation/ReportView.vue
@@ -216,11 +216,9 @@
           </div>
           <p v-else>{{ t("Unknown actor") }}</p>
         </div>
-        <div
-          class="prose dark:prose-invert"
-          v-if="report.content"
-          v-html="nl2br(report.content)"
-        />
+        <div class="prose dark:prose-invert" v-if="report.content">
+          {{ report.content }}
+        </div>
         <p v-else>{{ t("No comment") }}</p>
       </div>
     </section>
@@ -407,7 +405,6 @@ import {
 } from "@/types/actor";
 import { DELETE_EVENT } from "@/graphql/event";
 import uniq from "lodash/uniq";
-import { nl2br } from "@/utils/html";
 import { DELETE_COMMENT } from "@/graphql/comment";
 import { IComment } from "@/types/comment.model";
 import { ActorType, AntiSpamFeedback, ReportStatusEnum } from "@/types/enums";
diff --git a/test/federation/activity_pub/types/reports_test.exs b/test/federation/activity_pub/types/reports_test.exs
new file mode 100644
index 000000000..8c17fe731
--- /dev/null
+++ b/test/federation/activity_pub/types/reports_test.exs
@@ -0,0 +1,41 @@
+defmodule Mobilizon.Federation.ActivityPub.Types.ReportsTest do
+  use Mobilizon.DataCase
+
+  import Mobilizon.Factory
+
+  alias Mobilizon.Actors.Actor
+  alias Mobilizon.Federation.ActivityPub.Types.Reports
+  alias Mobilizon.Reports.Report
+
+  describe "report creation" do
+    test "with XSS" do
+      %Actor{id: reporter_id} = insert(:actor)
+      %Actor{id: reported_id} = insert(:actor)
+
+      content =
+        "hello <meta http-equiv=\"refresh\" content=\"0; url=http://example.com/\" />"
+
+      assert {:ok, %Report{content: saved_content}, _} =
+               Reports.flag(%{
+                 reporter_id: reporter_id,
+                 reported_id: reported_id,
+                 content: content
+               })
+
+      assert saved_content == "hello "
+
+      content =
+        "<<img src=''/>meta http-equiv=\"refresh\" content=\"0; url=http://example.com/\" />"
+
+      assert {:ok, %Report{content: saved_content}, _} =
+               Reports.flag(%{
+                 reporter_id: reporter_id,
+                 reported_id: reported_id,
+                 content: content
+               })
+
+      assert saved_content ==
+               "<meta http-equiv=\"refresh\" content=\"0; url=http://example.com/\" />"
+    end
+  end
+end