CommonAPI: Escape HTML for chat messages.

lib/pleroma/web/common_api/common_api.ex

@@ -17,6 +17,7 @@ defmodule Pleroma.Web.CommonAPI do
   alias Pleroma.Web.ActivityPub.Pipeline
   alias Pleroma.Web.ActivityPub.Utils
   alias Pleroma.Web.ActivityPub.Visibility
+  alias Pleroma.Formatter
 
   import Pleroma.Web.Gettext
   import Pleroma.Web.CommonAPI.Utils
@@ -28,7 +29,12 @@ def post_chat_message(%User{} = user, %User{} = recipient, content) do
     transaction =
       Repo.transaction(fn ->
         with {_, {:ok, chat_message_data, _meta}} <-
-               {:build_object, Builder.chat_message(user, recipient.ap_id, content)},
+               {:build_object,
+                Builder.chat_message(
+                  user,
+                  recipient.ap_id,
+                  content |> Formatter.html_escape("text/plain")
+                )},
              {_, {:ok, chat_message_object}} <-
                {:create_object, Object.create(chat_message_data)},
              {_, {:ok, create_activity_data, _meta}} <-

test/web/common_api/common_api_test.exs

@@ -27,7 +27,12 @@ test "it posts a chat message" do
       author = insert(:user)
       recipient = insert(:user)
 
-      {:ok, activity} = CommonAPI.post_chat_message(author, recipient, "a test message")
+      {:ok, activity} =
+        CommonAPI.post_chat_message(
+          author,
+          recipient,
+          "a test message <script>alert('uuu')</script>"
+        )
 
       assert activity.data["type"] == "Create"
       assert activity.local
@@ -35,7 +40,9 @@ test "it posts a chat message" do
 
       assert object.data["type"] == "ChatMessage"
       assert object.data["to"] == [recipient.ap_id]
-      assert object.data["content"] == "a test message"
+
+      assert object.data["content"] ==
+               "a test message &lt;script&gt;alert(&#39;uuu&#39;)&lt;/script&gt;"
 
       assert Chat.get(author.id, recipient.ap_id)
       assert Chat.get(recipient.id, author.ap_id)