Sanitize reason description and test, fix report in 'seed-db.js'

backend/src/middleware/xssMiddleware.js

@@ -85,7 +85,7 @@ function clean(dirty) {
   return dirty
 }
 
-const fields = ['content', 'contentExcerpt']
+const fields = ['content', 'contentExcerpt', 'reasonDescription']
 
 export default {
   Mutation: async (resolve, root, args, context, info) => {

backend/src/schema/resolvers/reports.js

@@ -2,7 +2,12 @@ import uuid from 'uuid/v4'
 
 export default {
   Mutation: {
-    report: async (_parent, { resourceId, reasonCategory, reasonDescription }, { driver, req, user }, _resolveInfo) => {
+    report: async (
+      _parent,
+      { resourceId, reasonCategory, reasonDescription },
+      { driver, _req, user },
+      _resolveInfo,
+    ) => {
       const reportId = uuid()
       const session = driver.session()
       const reportProperties = {

backend/src/schema/resolvers/reports.spec.js

@@ -123,11 +123,13 @@ describe('report', () => {
 
         it('returns a date', async () => {
           returnedObject = '{ createdAt }'
-          await expect(action()).resolves.toEqual(expect.objectContaining({
+          await expect(action()).resolves.toEqual(
-            report: {
+            expect.objectContaining({
-              createdAt: expect.any(String),
+              report: {
-            },
+                createdAt: expect.any(String),
-          }))
+              },
+            }),
+          )
         })
 
         it('returns the reason category', async () => {
@@ -155,6 +157,19 @@ describe('report', () => {
             },
           })
         })
+
+        it('sanitize the reason description', async () => {
+          variables = {
+            ...variables,
+            reasonDescription: 'My reason <sanitize></sanitize>!',
+          }
+          returnedObject = '{ reasonDescription }'
+          await expect(action()).resolves.toEqual({
+            report: {
+              reasonDescription: 'My reason !',
+            },
+          })
+        })
       })
 
       describe('reported resource is a post', () => {

backend/src/seed/seed-db.js

@@ -649,9 +649,14 @@ import { gql } from '../jest/helpers'
     ])
     authenticatedUser = null
 
+    // There is no error logged or the 'try' fails if this mutation is wrong. Why?
     const reportMutation = gql`
-      mutation($resourceId: ID!, $reasonDescription: String!) {
+      mutation($resourceId: ID!, $reasonCategory: String!, $reasonDescription: String!) {
-        report(reasonDescription: $reasonDescription, resourceId: $resourceId) {
+        report(
+          resourceId: $resourceId
+          reasonCategory: $reasonCategory
+          reasonDescription: $reasonDescription
+        ) {
           id
         }
       }
@@ -661,22 +666,25 @@ import { gql } from '../jest/helpers'
       mutate({
         mutation: reportMutation,
         variables: {
-          reasonDescription: 'This comment is bigoted',
           resourceId: 'c1',
+          reasonCategory: 'other',
+          reasonDescription: 'This comment is bigoted',
         },
       }),
       mutate({
         mutation: reportMutation,
         variables: {
-          reasonDescription: 'This post is bigoted',
           resourceId: 'p1',
+          reasonCategory: 'discrimination-etc',
+          reasonDescription: 'This post is bigoted',
         },
       }),
       mutate({
         mutation: reportMutation,
         variables: {
-          reasonDescription: 'This user is harassing me with bigoted remarks',
           resourceId: 'u1',
+          reasonCategory: 'doxing',
+          reasonDescription: 'This user is harassing me with bigoted remarks',
         },
       }),
     ])