From 8094f1d80ab153c0f52254ac1610c6dcefe572cc Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Wed, 16 Oct 2019 19:03:31 +0200 Subject: [PATCH] Make sure title is properly sanitized Close #247 Signed-off-by: Thomas Citharel --- lib/mobilizon_web/api/events.ex | 2 +- .../resolvers/event_resolver_test.exs | 42 +++++++++++++++++++ test/support/abinthe_helpers.ex | 19 +++++++++ 3 files changed, 62 insertions(+), 1 deletion(-) diff --git a/lib/mobilizon_web/api/events.ex b/lib/mobilizon_web/api/events.ex index cfc9ce9d..64a9fb4e 100644 --- a/lib/mobilizon_web/api/events.ex +++ b/lib/mobilizon_web/api/events.ex @@ -73,7 +73,7 @@ defmodule MobilizonWeb.API.Events do defp prepare_args(args) do with %Actor{} = organizer_actor <- Map.get(args, :organizer_actor), - title <- args |> Map.get(:title, "") |> String.trim(), + title <- args |> Map.get(:title, "") |> HtmlSanitizeEx.strip_tags() |> String.trim(), visibility <- Map.get(args, :visibility, :public), description <- Map.get(args, :description), tags <- Map.get(args, :tags), diff --git a/test/mobilizon_web/resolvers/event_resolver_test.exs b/test/mobilizon_web/resolvers/event_resolver_test.exs index 53f77b97..ee66ee0e 100644 --- a/test/mobilizon_web/resolvers/event_resolver_test.exs +++ b/test/mobilizon_web/resolvers/event_resolver_test.exs @@ -119,6 +119,48 @@ defmodule MobilizonWeb.Resolvers.EventResolverTest do assert json_response(res, 200)["data"]["createEvent"]["title"] == "come to my event" end + test "create_event/3 creates an event and escapes title and description", %{ + conn: conn, + actor: actor, + user: user + } do + mutation = """ + mutation createEvent($title: String!, $description: String, $begins_on: DateTime, $organizer_actor_id: ID!) { + createEvent( + title: $title, + description: $description, + begins_on: $begins_on, + organizer_actor_id: $organizer_actor_id + ) { + title, + description, + uuid + } + } + """ + + res = + conn + |> auth_conn(user) + |> AbsintheHelpers.graphql_query( + query: mutation, + variables: %{ + title: + "My Event title ", + description: + "My description ", + begins_on: DateTime.utc_now() |> DateTime.truncate(:second) |> DateTime.to_iso8601(), + organizer_actor_id: "#{actor.id}" + } + ) + + assert res["errors"] == nil + assert res["data"]["createEvent"]["title"] == "My Event title" + + assert res["data"]["createEvent"]["description"] == + "My description " + end + test "create_event/3 creates an event as a draft", %{conn: conn, actor: actor, user: user} do mutation = """ mutation { diff --git a/test/support/abinthe_helpers.ex b/test/support/abinthe_helpers.ex index ce7e673b..33df27da 100644 --- a/test/support/abinthe_helpers.ex +++ b/test/support/abinthe_helpers.ex @@ -1,4 +1,7 @@ defmodule MobilizonWeb.AbsintheHelpers do + use Phoenix.ConnTest + @endpoint MobilizonWeb.Endpoint + @moduledoc """ Absinthe helpers for tests """ @@ -17,4 +20,20 @@ defmodule MobilizonWeb.AbsintheHelpers do "variables" => "" } end + + def graphql_query(conn, options) do + conn + |> post( + "/api", + build_query(options[:query], options[:variables]) + ) + |> json_response(200) + end + + defp build_query(query, variables) do + %{ + "query" => query, + "variables" => variables + } + end end