Fix User.registration_reason HTML sanitizing issues

2020-07-27 20:36:31 -05:00 · 2020-07-27 20:36:31 -05:00 · f688c8df82
commit f688c8df82
parent f43518eb74
3 changed files with 5 additions and 5 deletions
--- a/lib/pleroma/emails/admin_email.ex
+++ b/lib/pleroma/emails/admin_email.ex
@ -8,6 +8,7 @@ defmodule Pleroma.Emails.AdminEmail do
  import Swoosh.Email

  alias Pleroma.Config
+  alias Pleroma.HTML
  alias Pleroma.Web.Router.Helpers

  defp instance_config, do: Config.get(:instance)
@ -86,7 +87,7 @@ def report(to, reporter, account, statuses, comment) do
  def new_unapproved_registration(to, account) do
    html_body = """
    <p>New account for review: <a href="#{user_url(account)}">@#{account.nickname}</a></p>
-    <blockquote>#{account.registration_reason}</blockquote>
+    <blockquote>#{HTML.strip_tags(account.registration_reason)}</blockquote>
    <a href="#{Pleroma.Web.base_url()}/pleroma/admin">Visit AdminFE</a>
    """

--- a/lib/pleroma/web/twitter_api/twitter_api.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api.ex
@ -7,7 +7,6 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do

  alias Pleroma.Emails.Mailer
  alias Pleroma.Emails.UserEmail
-  alias Pleroma.HTML
  alias Pleroma.Repo
  alias Pleroma.User
  alias Pleroma.UserInviteToken
@ -20,7 +19,7 @@ def register_user(params, opts \\ []) do
      |> Map.put(:nickname, params[:username])
      |> Map.put(:name, Map.get(params, :fullname, params[:username]))
      |> Map.put(:password_confirmation, params[:password])
-      |> Map.put(:registration_reason, HTML.strip_tags(params[:reason]))
+      |> Map.put(:registration_reason, params[:reason])

    if Pleroma.Config.get([:instance, :registrations_open]) do
      create_user(params, opts)
--- a/test/web/mastodon_api/controllers/account_controller_test.exs
+++ b/test/web/mastodon_api/controllers/account_controller_test.exs
@ -1017,7 +1017,7 @@ test "Account registration via app with account_approval_required", %{conn: conn
          password: "PlzDontHackLain",
          bio: "Test Bio",
          agreement: true,
-          reason: "I am a cool dude, bro"
+          reason: "I'm a cool dude, bro"
        })

      %{
@ -1035,7 +1035,7 @@ test "Account registration via app with account_approval_required", %{conn: conn
      assert token_from_db.user.confirmation_pending
      assert token_from_db.user.approval_pending

-      assert token_from_db.user.registration_reason == "I am a cool dude, bro"
+      assert token_from_db.user.registration_reason == "I'm a cool dude, bro"
    end

    test "returns error when user already registred", %{conn: conn, valid_params: valid_params} do