mirror of
https://framagit.org/framasoft/mobilizon.git
synced 2025-01-03 05:45:14 +00:00
Merge branch 'bug/fix-XSS-on-event-title' into 'master'
Make sure title is properly sanitized Closes #247 See merge request framasoft/mobilizon!281
This commit is contained in:
commit
4dcbf85d9a
3 changed files with 62 additions and 1 deletions
|
@ -73,7 +73,7 @@ defmodule MobilizonWeb.API.Events do
|
|||
|
||||
defp prepare_args(args) do
|
||||
with %Actor{} = organizer_actor <- Map.get(args, :organizer_actor),
|
||||
title <- args |> Map.get(:title, "") |> String.trim(),
|
||||
title <- args |> Map.get(:title, "") |> HtmlSanitizeEx.strip_tags() |> String.trim(),
|
||||
visibility <- Map.get(args, :visibility, :public),
|
||||
description <- Map.get(args, :description),
|
||||
tags <- Map.get(args, :tags),
|
||||
|
|
|
@ -119,6 +119,48 @@ defmodule MobilizonWeb.Resolvers.EventResolverTest do
|
|||
assert json_response(res, 200)["data"]["createEvent"]["title"] == "come to my event"
|
||||
end
|
||||
|
||||
test "create_event/3 creates an event and escapes title and description", %{
|
||||
conn: conn,
|
||||
actor: actor,
|
||||
user: user
|
||||
} do
|
||||
mutation = """
|
||||
mutation createEvent($title: String!, $description: String, $begins_on: DateTime, $organizer_actor_id: ID!) {
|
||||
createEvent(
|
||||
title: $title,
|
||||
description: $description,
|
||||
begins_on: $begins_on,
|
||||
organizer_actor_id: $organizer_actor_id
|
||||
) {
|
||||
title,
|
||||
description,
|
||||
uuid
|
||||
}
|
||||
}
|
||||
"""
|
||||
|
||||
res =
|
||||
conn
|
||||
|> auth_conn(user)
|
||||
|> AbsintheHelpers.graphql_query(
|
||||
query: mutation,
|
||||
variables: %{
|
||||
title:
|
||||
"My Event title <img src=\"http://placekitten.com/g/200/300\" onclick=\"alert('aaa')\" >",
|
||||
description:
|
||||
"<b>My description</b> <img src=\"http://placekitten.com/g/200/300\" onclick=\"alert('aaa')\" >",
|
||||
begins_on: DateTime.utc_now() |> DateTime.truncate(:second) |> DateTime.to_iso8601(),
|
||||
organizer_actor_id: "#{actor.id}"
|
||||
}
|
||||
)
|
||||
|
||||
assert res["errors"] == nil
|
||||
assert res["data"]["createEvent"]["title"] == "My Event title"
|
||||
|
||||
assert res["data"]["createEvent"]["description"] ==
|
||||
"<b>My description</b> <img src=\"http://placekitten.com/g/200/300\" />"
|
||||
end
|
||||
|
||||
test "create_event/3 creates an event as a draft", %{conn: conn, actor: actor, user: user} do
|
||||
mutation = """
|
||||
mutation {
|
||||
|
|
|
@ -1,4 +1,7 @@
|
|||
defmodule MobilizonWeb.AbsintheHelpers do
|
||||
use Phoenix.ConnTest
|
||||
@endpoint MobilizonWeb.Endpoint
|
||||
|
||||
@moduledoc """
|
||||
Absinthe helpers for tests
|
||||
"""
|
||||
|
@ -17,4 +20,20 @@ defmodule MobilizonWeb.AbsintheHelpers do
|
|||
"variables" => ""
|
||||
}
|
||||
end
|
||||
|
||||
def graphql_query(conn, options) do
|
||||
conn
|
||||
|> post(
|
||||
"/api",
|
||||
build_query(options[:query], options[:variables])
|
||||
)
|
||||
|> json_response(200)
|
||||
end
|
||||
|
||||
defp build_query(query, variables) do
|
||||
%{
|
||||
"query" => query,
|
||||
"variables" => variables
|
||||
}
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue