fix client4 post sanitization (#8219)

3 files changed, 67 insertions, 8 deletions

diff --git a/model/client4.go b/model/client4.go
index 0694ecbdf..962b816bb 100644
--- a/model/client4.go
+++ b/model/client4.go
@@ -1729,7 +1729,7 @@ func (c *Client4) RemoveUserFromChannel(channelId, userId string) (bool, *Respon
 
 // CreatePost creates a post based on the provided post struct.
 func (c *Client4) CreatePost(post *Post) (*Post, *Response) {
-	if r, err := c.DoApiPost(c.GetPostsRoute(), post.ToJson()); err != nil {
+	if r, err := c.DoApiPost(c.GetPostsRoute(), post.ToUnsanitizedJson()); err != nil {
 		return nil, BuildErrorResponse(r, err)
 	} else {
 		defer closeBody(r)
@@ -1739,7 +1739,7 @@ func (c *Client4) CreatePost(post *Post) (*Post, *Response) {
 
 // UpdatePost updates a post based on the provided post struct.
 func (c *Client4) UpdatePost(postId string, post *Post) (*Post, *Response) {
-	if r, err := c.DoApiPut(c.GetPostRoute(postId), post.ToJson()); err != nil {
+	if r, err := c.DoApiPut(c.GetPostRoute(postId), post.ToUnsanitizedJson()); err != nil {
 		return nil, BuildErrorResponse(r, err)
 	} else {
 		defer closeBody(r)
diff --git a/model/client4_test.go b/model/client4_test.go
new file mode 100644
index 000000000..f7923fa8f
--- /dev/null
+++ b/model/client4_test.go
@@ -0,0 +1,58 @@
+// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package model
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// https://github.com/mattermost/mattermost-server/issues/8205
+func TestClient4CreatePost(t *testing.T) {
+	post := &Post{
+		Props: map[string]interface{}{
+			"attachments": []*SlackAttachment{
+				&SlackAttachment{
+					Actions: []*PostAction{
+						&PostAction{
+							Integration: &PostActionIntegration{
+								Context: map[string]interface{}{
+									"foo": "bar",
+								},
+								URL: "http://foo.com",
+							},
+							Name: "Foo",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		attachments := PostFromJson(r.Body).Attachments()
+		assert.Equal(t, []*SlackAttachment{
+			&SlackAttachment{
+				Actions: []*PostAction{
+					&PostAction{
+						Integration: &PostActionIntegration{
+							Context: map[string]interface{}{
+								"foo": "bar",
+							},
+							URL: "http://foo.com",
+						},
+						Name: "Foo",
+					},
+				},
+			},
+		}, attachments)
+	}))
+
+	client := NewAPIv4Client(server.URL)
+	_, resp := client.CreatePost(post)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+}
diff --git a/model/post.go b/model/post.go
index 7cf0f1b35..4a774b5d4 100644
--- a/model/post.go
+++ b/model/post.go
@@ -122,12 +122,13 @@ type PostActionIntegrationResponse struct {
 func (o *Post) ToJson() string {
 	copy := *o
 	copy.StripActionIntegrations()
-	b, err := json.Marshal(&copy)
-	if err != nil {
-		return ""
-	} else {
-		return string(b)
-	}
+	b, _ := json.Marshal(&copy)
+	return string(b)
+}
+
+func (o *Post) ToUnsanitizedJson() string {
+	b, _ := json.Marshal(o)
+	return string(b)
 }
 
 func PostFromJson(data io.Reader) *Post {