diff options
| -rw-r--r-- | lib/pleroma/web/common_api/common_api.ex | 8 | ||||
| -rw-r--r-- | test/web/common_api/common_api_test.exs | 11 |
2 files changed, 16 insertions, 3 deletions
diff --git a/lib/pleroma/web/common_api/common_api.ex b/lib/pleroma/web/common_api/common_api.ex index c306c1e96..2c25850db 100644 --- a/lib/pleroma/web/common_api/common_api.ex +++ b/lib/pleroma/web/common_api/common_api.ex @@ -17,6 +17,7 @@ defmodule Pleroma.Web.CommonAPI do alias Pleroma.Web.ActivityPub.Pipeline alias Pleroma.Web.ActivityPub.Utils alias Pleroma.Web.ActivityPub.Visibility + alias Pleroma.Formatter import Pleroma.Web.Gettext import Pleroma.Web.CommonAPI.Utils @@ -28,7 +29,12 @@ defmodule Pleroma.Web.CommonAPI do transaction = Repo.transaction(fn -> with {_, {:ok, chat_message_data, _meta}} <- - {:build_object, Builder.chat_message(user, recipient.ap_id, content)}, + {:build_object, + Builder.chat_message( + user, + recipient.ap_id, + content |> Formatter.html_escape("text/plain") + )}, {_, {:ok, chat_message_object}} <- {:create_object, Object.create(chat_message_data)}, {_, {:ok, create_activity_data, _meta}} <- diff --git a/test/web/common_api/common_api_test.exs b/test/web/common_api/common_api_test.exs index 168721c81..abe3e6f8d 100644 --- a/test/web/common_api/common_api_test.exs +++ b/test/web/common_api/common_api_test.exs @@ -27,7 +27,12 @@ defmodule Pleroma.Web.CommonAPITest do author = insert(:user) recipient = insert(:user) - {:ok, activity} = CommonAPI.post_chat_message(author, recipient, "a test message") + {:ok, activity} = + CommonAPI.post_chat_message( + author, + recipient, + "a test message <script>alert('uuu')</script>" + ) assert activity.data["type"] == "Create" assert activity.local @@ -35,7 +40,9 @@ defmodule Pleroma.Web.CommonAPITest do assert object.data["type"] == "ChatMessage" assert object.data["to"] == [recipient.ap_id] - assert object.data["content"] == "a test message" + + assert object.data["content"] == + "a test message <script>alert('uuu')</script>" assert Chat.get(author.id, recipient.ap_id) assert Chat.get(recipient.id, author.ap_id) |