parent
3d76420512
commit
c7acca2abb
|
@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
|
||||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
|
|
||||||
## [unreleased]
|
## [unreleased]
|
||||||
|
### Security
|
||||||
|
- Mastodon API: Fix display names not being sanitized
|
||||||
### Added
|
### Added
|
||||||
- Add a generic settings store for frontends / clients to use.
|
- Add a generic settings store for frontends / clients to use.
|
||||||
- Explicit addressing option for posting.
|
- Explicit addressing option for posting.
|
||||||
|
|
|
@ -66,6 +66,8 @@ def render("relationships.json", %{user: user, targets: targets}) do
|
||||||
end
|
end
|
||||||
|
|
||||||
defp do_render("account.json", %{user: user} = opts) do
|
defp do_render("account.json", %{user: user} = opts) do
|
||||||
|
display_name = HTML.strip_tags(user.name || user.nickname)
|
||||||
|
|
||||||
image = User.avatar_url(user) |> MediaProxy.url()
|
image = User.avatar_url(user) |> MediaProxy.url()
|
||||||
header = User.banner_url(user) |> MediaProxy.url()
|
header = User.banner_url(user) |> MediaProxy.url()
|
||||||
user_info = User.get_cached_user_info(user)
|
user_info = User.get_cached_user_info(user)
|
||||||
|
@ -96,7 +98,7 @@ defp do_render("account.json", %{user: user} = opts) do
|
||||||
id: to_string(user.id),
|
id: to_string(user.id),
|
||||||
username: username_from_nickname(user.nickname),
|
username: username_from_nickname(user.nickname),
|
||||||
acct: user.nickname,
|
acct: user.nickname,
|
||||||
display_name: user.name || user.nickname,
|
display_name: display_name,
|
||||||
locked: user_info.locked,
|
locked: user_info.locked,
|
||||||
created_at: Utils.to_masto_date(user.inserted_at),
|
created_at: Utils.to_masto_date(user.inserted_at),
|
||||||
followers_count: user_info.follower_count,
|
followers_count: user_info.follower_count,
|
||||||
|
|
|
@ -269,4 +269,10 @@ test "returns the settings store if the requesting user is the represented user
|
||||||
result = AccountView.render("account.json", %{user: user, for: user})
|
result = AccountView.render("account.json", %{user: user, for: user})
|
||||||
assert result.pleroma[:settings_store] == nil
|
assert result.pleroma[:settings_store] == nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "sanitizes display names" do
|
||||||
|
user = insert(:user, name: "<marquee> username </marquee>")
|
||||||
|
result = AccountView.render("account.json", %{user: user})
|
||||||
|
refute result.display_name == "<marquee> username </marquee>"
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue