parent
3d76420512
commit
c7acca2abb
|
@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
|
|||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||
|
||||
## [unreleased]
|
||||
### Security
|
||||
- Mastodon API: Fix display names not being sanitized
|
||||
### Added
|
||||
- Add a generic settings store for frontends / clients to use.
|
||||
- Explicit addressing option for posting.
|
||||
|
|
|
@ -66,6 +66,8 @@ def render("relationships.json", %{user: user, targets: targets}) do
|
|||
end
|
||||
|
||||
defp do_render("account.json", %{user: user} = opts) do
|
||||
display_name = HTML.strip_tags(user.name || user.nickname)
|
||||
|
||||
image = User.avatar_url(user) |> MediaProxy.url()
|
||||
header = User.banner_url(user) |> MediaProxy.url()
|
||||
user_info = User.get_cached_user_info(user)
|
||||
|
@ -96,7 +98,7 @@ defp do_render("account.json", %{user: user} = opts) do
|
|||
id: to_string(user.id),
|
||||
username: username_from_nickname(user.nickname),
|
||||
acct: user.nickname,
|
||||
display_name: user.name || user.nickname,
|
||||
display_name: display_name,
|
||||
locked: user_info.locked,
|
||||
created_at: Utils.to_masto_date(user.inserted_at),
|
||||
followers_count: user_info.follower_count,
|
||||
|
|
|
@ -269,4 +269,10 @@ test "returns the settings store if the requesting user is the represented user
|
|||
result = AccountView.render("account.json", %{user: user, for: user})
|
||||
assert result.pleroma[:settings_store] == nil
|
||||
end
|
||||
|
||||
test "sanitizes display names" do
|
||||
user = insert(:user, name: "<marquee> username </marquee>")
|
||||
result = AccountView.render("account.json", %{user: user})
|
||||
refute result.display_name == "<marquee> username </marquee>"
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue