From e943905bd7e256555a66b54d956013aa499d08d6 Mon Sep 17 00:00:00 2001
From: rinpatch <rinpatch@sdf.org>
Date: Sun, 16 Jun 2019 01:30:14 +0300
Subject: [PATCH 1/4] Add tests for report view

---
 test/web/admin_api/views/report_view_test.exs | 98 +++++++++++++++++++
 1 file changed, 98 insertions(+)
 create mode 100644 test/web/admin_api/views/report_view_test.exs

diff --git a/test/web/admin_api/views/report_view_test.exs b/test/web/admin_api/views/report_view_test.exs
new file mode 100644
index 000000000..52774c889
--- /dev/null
+++ b/test/web/admin_api/views/report_view_test.exs
@@ -0,0 +1,98 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.AdminAPI.ReportViewTest do
+  use Pleroma.DataCase
+  import Pleroma.Factory
+  alias Pleroma.Web.AdminAPI.ReportView
+  alias Pleroma.Web.MastodonAPI.AccountView
+  alias Pleroma.Web.MastodonAPI.StatusView
+  alias Pleroma.Web.CommonAPI
+
+  test "renders a report" do
+    user = insert(:user)
+    other_user = insert(:user)
+
+    {:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id})
+
+    expected = %{
+      content: "",
+      actor: AccountView.render("account.json", %{user: user}),
+      account: AccountView.render("account.json", %{user: other_user}),
+      statuses: [],
+      state: "open",
+      id: activity.id
+    }
+
+    result =
+      ReportView.render("show.json", %{report: activity})
+      |> Map.delete(:created_at)
+
+    assert result == expected
+  end
+
+  test "includes reported statuses" do
+    user = insert(:user)
+    other_user = insert(:user)
+    {:ok, activity} = CommonAPI.post(other_user, %{"status" => "toot"})
+
+    {:ok, report_activity} =
+      CommonAPI.report(user, %{"account_id" => other_user.id, "status_ids" => [activity.id]})
+
+    expected = %{
+      content: "",
+      actor: AccountView.render("account.json", %{user: user}),
+      account: AccountView.render("account.json", %{user: other_user}),
+      statuses: [StatusView.render("status.json", %{activity: activity})],
+      state: "open",
+      id: report_activity.id
+    }
+
+    result =
+      ReportView.render("show.json", %{report: report_activity})
+      |> Map.delete(:created_at)
+
+    assert result == expected
+  end
+
+  test "renders report's state" do
+    user = insert(:user)
+    other_user = insert(:user)
+
+    {:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id})
+    {:ok, activity} = CommonAPI.update_report_state(activity.id, "closed")
+    assert %{state: "closed"} = ReportView.render("show.json", %{report: activity})
+  end
+
+  test "renders report description" do
+    user = insert(:user)
+    other_user = insert(:user)
+
+    {:ok, activity} =
+      CommonAPI.report(user, %{
+        "account_id" => other_user.id,
+        "comment" => "posts are too good for this instance"
+      })
+
+    assert %{content: "posts are too good for this instance"} =
+             ReportView.render("show.json", %{report: activity})
+  end
+
+  test "sanitizes report description" do
+    user = insert(:user)
+    other_user = insert(:user)
+
+    {:ok, activity} =
+      CommonAPI.report(user, %{
+        "account_id" => other_user.id,
+        "comment" => ""
+      })
+
+    data = Map.put(activity.data, "content", "<script> alert('hecked :D:D:D:D:D:D:D') </script>")
+    activity = Map.put(activity, :data, data)
+
+    refute %{content: "<script> alert('hecked :D:D:D:D:D:D:D') </script>"} ==
+             ReportView.render("show.json", %{report: activity})[:content]
+  end
+end

From 641bcaa44e47a83bb7730e39b2f6b9d16251b40e Mon Sep 17 00:00:00 2001
From: rinpatch <rinpatch@sdf.org>
Date: Sun, 16 Jun 2019 01:30:32 +0300
Subject: [PATCH 2/4] Sanitize HTML in ReportView

Closes #990
---
 lib/pleroma/web/admin_api/views/report_view.ex | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/pleroma/web/admin_api/views/report_view.ex b/lib/pleroma/web/admin_api/views/report_view.ex
index 47a73dc7e..48d73b4cd 100644
--- a/lib/pleroma/web/admin_api/views/report_view.ex
+++ b/lib/pleroma/web/admin_api/views/report_view.ex
@@ -6,6 +6,7 @@ defmodule Pleroma.Web.AdminAPI.ReportView do
   use Pleroma.Web, :view
   alias Pleroma.Activity
   alias Pleroma.User
+  alias Pleroma.HTML
   alias Pleroma.Web.CommonAPI.Utils
   alias Pleroma.Web.MastodonAPI.AccountView
   alias Pleroma.Web.MastodonAPI.StatusView
@@ -32,7 +33,7 @@ def render("show.json", %{report: report}) do
       id: report.id,
       account: AccountView.render("account.json", %{user: account}),
       actor: AccountView.render("account.json", %{user: user}),
-      content: report.data["content"],
+      content: HTML.filter_tags(report.data["content"]),
       created_at: created_at,
       statuses: StatusView.render("index.json", %{activities: statuses, as: :activity}),
       state: report.data["state"]

From 44de34d1706c8a15f06e86a85ce5361c5bf9e0a5 Mon Sep 17 00:00:00 2001
From: rinpatch <rinpatch@sdf.org>
Date: Sun, 16 Jun 2019 01:35:45 +0300
Subject: [PATCH 3/4] Credo fixes

---
 lib/pleroma/web/admin_api/views/report_view.ex | 2 +-
 test/web/admin_api/views/report_view_test.exs  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/pleroma/web/admin_api/views/report_view.ex b/lib/pleroma/web/admin_api/views/report_view.ex
index 48d73b4cd..a17a23ca3 100644
--- a/lib/pleroma/web/admin_api/views/report_view.ex
+++ b/lib/pleroma/web/admin_api/views/report_view.ex
@@ -5,8 +5,8 @@
 defmodule Pleroma.Web.AdminAPI.ReportView do
   use Pleroma.Web, :view
   alias Pleroma.Activity
-  alias Pleroma.User
   alias Pleroma.HTML
+  alias Pleroma.User
   alias Pleroma.Web.CommonAPI.Utils
   alias Pleroma.Web.MastodonAPI.AccountView
   alias Pleroma.Web.MastodonAPI.StatusView
diff --git a/test/web/admin_api/views/report_view_test.exs b/test/web/admin_api/views/report_view_test.exs
index 52774c889..51c26a117 100644
--- a/test/web/admin_api/views/report_view_test.exs
+++ b/test/web/admin_api/views/report_view_test.exs
@@ -6,9 +6,9 @@ defmodule Pleroma.Web.AdminAPI.ReportViewTest do
   use Pleroma.DataCase
   import Pleroma.Factory
   alias Pleroma.Web.AdminAPI.ReportView
+  alias Pleroma.Web.CommonAPI
   alias Pleroma.Web.MastodonAPI.AccountView
   alias Pleroma.Web.MastodonAPI.StatusView
-  alias Pleroma.Web.CommonAPI
 
   test "renders a report" do
     user = insert(:user)

From bf6aa6f1a8460448d51dc69e05257058b3d56a43 Mon Sep 17 00:00:00 2001
From: rinpatch <rinpatch@sdf.org>
Date: Sun, 16 Jun 2019 12:57:58 +0300
Subject: [PATCH 4/4] Fix report content stopping to be nullable

---
 lib/pleroma/web/admin_api/views/report_view.ex | 9 ++++++++-
 test/web/admin_api/views/report_view_test.exs  | 6 +++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/lib/pleroma/web/admin_api/views/report_view.ex b/lib/pleroma/web/admin_api/views/report_view.ex
index a17a23ca3..e7db3a8ff 100644
--- a/lib/pleroma/web/admin_api/views/report_view.ex
+++ b/lib/pleroma/web/admin_api/views/report_view.ex
@@ -24,6 +24,13 @@ def render("show.json", %{report: report}) do
     [account_ap_id | status_ap_ids] = report.data["object"]
     account = User.get_cached_by_ap_id(account_ap_id)
 
+    content =
+      unless is_nil(report.data["content"]) do
+        HTML.filter_tags(report.data["content"])
+      else
+        nil
+      end
+
     statuses =
       Enum.map(status_ap_ids, fn ap_id ->
         Activity.get_by_ap_id_with_object(ap_id)
@@ -33,7 +40,7 @@ def render("show.json", %{report: report}) do
       id: report.id,
       account: AccountView.render("account.json", %{user: account}),
       actor: AccountView.render("account.json", %{user: user}),
-      content: HTML.filter_tags(report.data["content"]),
+      content: content,
       created_at: created_at,
       statuses: StatusView.render("index.json", %{activities: statuses, as: :activity}),
       state: report.data["state"]
diff --git a/test/web/admin_api/views/report_view_test.exs b/test/web/admin_api/views/report_view_test.exs
index 51c26a117..f35f36cac 100644
--- a/test/web/admin_api/views/report_view_test.exs
+++ b/test/web/admin_api/views/report_view_test.exs
@@ -17,7 +17,7 @@ test "renders a report" do
     {:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id})
 
     expected = %{
-      content: "",
+      content: nil,
       actor: AccountView.render("account.json", %{user: user}),
       account: AccountView.render("account.json", %{user: other_user}),
       statuses: [],
@@ -41,7 +41,7 @@ test "includes reported statuses" do
       CommonAPI.report(user, %{"account_id" => other_user.id, "status_ids" => [activity.id]})
 
     expected = %{
-      content: "",
+      content: nil,
       actor: AccountView.render("account.json", %{user: user}),
       account: AccountView.render("account.json", %{user: other_user}),
       statuses: [StatusView.render("status.json", %{activity: activity})],
@@ -92,7 +92,7 @@ test "sanitizes report description" do
     data = Map.put(activity.data, "content", "<script> alert('hecked :D:D:D:D:D:D:D') </script>")
     activity = Map.put(activity, :data, data)
 
-    refute %{content: "<script> alert('hecked :D:D:D:D:D:D:D') </script>"} ==
+    refute "<script> alert('hecked :D:D:D:D:D:D:D') </script>" ==
              ReportView.render("show.json", %{report: activity})[:content]
   end
 end