fix(xss): add escape hepler for resources

Author: mydearxym

lib/groupher_server/cms/post.ex

@@ -17,6 +17,8 @@ defmodule GroupherServer.CMS.Post do
     Topic
   }
 
+  alias Helper.HTML
+
   @timestamps_opts [type: :utc_datetime_usec]
   @required_fields ~w(title body digest length)a
   @optional_fields ~w(origial_community_id link_addr copy_right link_addr link_icon)a
@@ -104,15 +106,7 @@ defmodule GroupherServer.CMS.Post do
     |> validate_length(:title, min: 3, max: 50)
     |> validate_length(:body, min: 3, max: 10_000)
     |> validate_length(:link_addr, min: 5, max: 400)
-
-    # |> foreign_key_constraint(:posts_tags, name: :posts_tags_tag_id_fkey)
-    # |> foreign_key_constraint(name: :posts_tags_tag_id_fkey)
-  end
-
-  @doc false
-  def update_changeset(%Post{} = post, attrs) do
-    post
-    |> cast(attrs, @optional_fields ++ @required_fields)
+    |> HTML.safe_string(:body)
 
     # |> foreign_key_constraint(:posts_tags, name: :posts_tags_tag_id_fkey)
     # |> foreign_key_constraint(name: :posts_tags_tag_id_fkey)

lib/groupher_server/cms/post_comment.ex

@@ -13,6 +13,8 @@ defmodule GroupherServer.CMS.PostComment do
     PostCommentReply
   }
 
+  alias Helper.HTML
+
   @required_fields ~w(body author_id post_id floor)a
   @optional_fields ~w(reply_id)a
 
@@ -51,13 +53,14 @@ defmodule GroupherServer.CMS.PostComment do
     |> foreign_key_constraint(:post_id)
     |> foreign_key_constraint(:author_id)
     |> validate_length(:body, min: 3, max: 2000)
+    |> HTML.safe_string(:body)
   end
 
-  @doc false
-  def update_changeset(%PostComment{} = post_comment, attrs) do
-    post_comment
-    |> cast(attrs, @required_fields ++ @optional_fields)
-    |> foreign_key_constraint(:post_id)
-    |> foreign_key_constraint(:author_id)
-  end
+  # @doc false
+  # def update_changeset(%PostComment{} = post_comment, attrs) do
+  # post_comment
+  # |> cast(attrs, @required_fields ++ @optional_fields)
+  # |> foreign_key_constraint(:post_id)
+  # |> foreign_key_constraint(:author_id)
+  # end
 end

lib/helper/html.ex

@@ -0,0 +1,22 @@
+defmodule Helper.HTML do
+  @moduledoc """
+  escape unsafe inputs, especially for the markdown contents
+  """
+
+  import Ecto.Changeset
+  alias Phoenix.HTML
+
+  def safe_string(%Ecto.Changeset{} = changeset, field) do
+    case changeset do
+      # %Ecto.Changeset{valid?: true, changes: %{body: val}} ->
+      %Ecto.Changeset{valid?: true, changes: changes} ->
+        changeset
+        |> put_change(field, escape_to_safe_string(changes[field]))
+
+      _ ->
+        changeset
+    end
+  end
+
+  defp escape_to_safe_string(v), do: v |> HTML.html_escape() |> HTML.safe_to_string()
+end

mix.exs

@@ -53,6 +53,7 @@ defmodule GroupherServer.Mixfile do
     [
       {:phoenix, "~> 1.4.1"},
       {:phoenix_pubsub, "~> 1.1.1"},
+      {:phoenix_html, "~> 2.13.3"},
       {:ecto_sql, "~> 3.1.2"},
       {:phoenix_ecto, "~> 4.0"},
       {:postgrex, ">= 0.14.1"},

test/groupher_server_web/mutation/cms/post_test.exs

@@ -63,6 +63,21 @@ defmodule GroupherServer.Test.Mutation.Post do
       assert {:ok, _} = ORM.find_by(CMS.Author, user_id: user.id)
     end
 
+    @tag :wip
+    test "create post should excape xss attracts" do
+      {:ok, user} = db_insert(:user)
+      user_conn = simu_conn(:user, user)
+
+      {:ok, community} = db_insert(:community)
+      post_attr = mock_attrs(:post, %{body: "<script>alert(\"hello,world\")</script>"})
+
+      variables = post_attr |> Map.merge(%{communityId: community.id})
+      created = user_conn |> mutation_result(@create_post_query, variables, "createPost")
+      {:ok, post} = ORM.find(CMS.Post, created["id"])
+
+      assert post.body == "&lt;script&gt;alert(&quot;hello,world&quot;)&lt;/script&gt;"
+    end
+
     # NOTE: this test is IMPORTANT, cause json_codec: Jason in router will cause
     # server crash when GraphQL parse error
     test "create post with missing non_null field should get 200 error" do