1
0
Fork 0
forked from mirrors/akkoma

Mastodon API: Sanitize display names

Closes #1000
This commit is contained in:
rinpatch 2019-06-18 14:09:15 +03:00
parent 3d76420512
commit c7acca2abb
3 changed files with 11 additions and 1 deletions

View file

@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [unreleased]
### Security
- Mastodon API: Fix display names not being sanitized
### Added
- Add a generic settings store for frontends / clients to use.
- Explicit addressing option for posting.

View file

@ -66,6 +66,8 @@ def render("relationships.json", %{user: user, targets: targets}) do
end
defp do_render("account.json", %{user: user} = opts) do
display_name = HTML.strip_tags(user.name || user.nickname)
image = User.avatar_url(user) |> MediaProxy.url()
header = User.banner_url(user) |> MediaProxy.url()
user_info = User.get_cached_user_info(user)
@ -96,7 +98,7 @@ defp do_render("account.json", %{user: user} = opts) do
id: to_string(user.id),
username: username_from_nickname(user.nickname),
acct: user.nickname,
display_name: user.name || user.nickname,
display_name: display_name,
locked: user_info.locked,
created_at: Utils.to_masto_date(user.inserted_at),
followers_count: user_info.follower_count,

View file

@ -269,4 +269,10 @@ test "returns the settings store if the requesting user is the represented user
result = AccountView.render("account.json", %{user: user, for: user})
assert result.pleroma[:settings_store] == nil
end
test "sanitizes display names" do
user = insert(:user, name: "<marquee> username </marquee>")
result = AccountView.render("account.json", %{user: user})
refute result.display_name == "<marquee> username </marquee>"
end
end