Fix User.registration_reason HTML sanitizing issues

This commit is contained in:
Alex Gleason 2020-07-27 20:36:31 -05:00
parent f43518eb74
commit f688c8df82
No known key found for this signature in database
GPG key ID: 7211D1F99744FBB7
3 changed files with 5 additions and 5 deletions
lib/pleroma
emails
web/twitter_api
test/web/mastodon_api/controllers

View file

@ -8,6 +8,7 @@ defmodule Pleroma.Emails.AdminEmail do
import Swoosh.Email
alias Pleroma.Config
alias Pleroma.HTML
alias Pleroma.Web.Router.Helpers
defp instance_config, do: Config.get(:instance)
@ -86,7 +87,7 @@ def report(to, reporter, account, statuses, comment) do
def new_unapproved_registration(to, account) do
html_body = """
<p>New account for review: <a href="#{user_url(account)}">@#{account.nickname}</a></p>
<blockquote>#{account.registration_reason}</blockquote>
<blockquote>#{HTML.strip_tags(account.registration_reason)}</blockquote>
<a href="#{Pleroma.Web.base_url()}/pleroma/admin">Visit AdminFE</a>
"""

View file

@ -7,7 +7,6 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
alias Pleroma.Emails.Mailer
alias Pleroma.Emails.UserEmail
alias Pleroma.HTML
alias Pleroma.Repo
alias Pleroma.User
alias Pleroma.UserInviteToken
@ -20,7 +19,7 @@ def register_user(params, opts \\ []) do
|> Map.put(:nickname, params[:username])
|> Map.put(:name, Map.get(params, :fullname, params[:username]))
|> Map.put(:password_confirmation, params[:password])
|> Map.put(:registration_reason, HTML.strip_tags(params[:reason]))
|> Map.put(:registration_reason, params[:reason])
if Pleroma.Config.get([:instance, :registrations_open]) do
create_user(params, opts)

View file

@ -1017,7 +1017,7 @@ test "Account registration via app with account_approval_required", %{conn: conn
password: "PlzDontHackLain",
bio: "Test Bio",
agreement: true,
reason: "I am a cool dude, bro"
reason: "I'm a cool dude, bro"
})
%{
@ -1035,7 +1035,7 @@ test "Account registration via app with account_approval_required", %{conn: conn
assert token_from_db.user.confirmation_pending
assert token_from_db.user.approval_pending
assert token_from_db.user.registration_reason == "I am a cool dude, bro"
assert token_from_db.user.registration_reason == "I'm a cool dude, bro"
end
test "returns error when user already registred", %{conn: conn, valid_params: valid_params} do