Merge branch 'fix/sanitize-report-content' into 'develop'

Sanitize HTML in ReportView

Closes #990

See merge request pleroma/pleroma!1293

1 files changed, 9 insertions, 1 deletions

diff --git a/lib/pleroma/web/admin_api/views/report_view.ex b/lib/pleroma/web/admin_api/views/report_view.ex
index 47a73dc7e..e7db3a8ff 100644
--- a/lib/pleroma/web/admin_api/views/report_view.ex
+++ b/lib/pleroma/web/admin_api/views/report_view.ex
@@ -5,6 +5,7 @@
 defmodule Pleroma.Web.AdminAPI.ReportView do
   use Pleroma.Web, :view
   alias Pleroma.Activity
+  alias Pleroma.HTML
   alias Pleroma.User
   alias Pleroma.Web.CommonAPI.Utils
   alias Pleroma.Web.MastodonAPI.AccountView
@@ -23,6 +24,13 @@ defmodule Pleroma.Web.AdminAPI.ReportView do
     [account_ap_id | status_ap_ids] = report.data["object"]
     account = User.get_cached_by_ap_id(account_ap_id)
 
+    content =
+      unless is_nil(report.data["content"]) do
+        HTML.filter_tags(report.data["content"])
+      else
+        nil
+      end
+
     statuses =
       Enum.map(status_ap_ids, fn ap_id ->
         Activity.get_by_ap_id_with_object(ap_id)
@@ -32,7 +40,7 @@ defmodule Pleroma.Web.AdminAPI.ReportView do
       id: report.id,
       account: AccountView.render("account.json", %{user: account}),
       actor: AccountView.render("account.json", %{user: user}),
-      content: report.data["content"],
+      content: content,
       created_at: created_at,
       statuses: StatusView.render("index.json", %{activities: statuses, as: :activity}),
       state: report.data["state"]