Escape HTML in profile name preview in profile settings (#9446)

* fix non-escaped html in the profile settings

* provide a default profile text in case if there's no custom one

* update haml syntax

* simplify default profile name to username

* sanitize user-input html but display emojified icons
master
Paweł Ngei 6 years ago committed by Eugen Rochko
parent d3547fa005
commit 5c7f641565
  1. 8
      app/javascript/packs/public.js
  2. 1
      app/views/application/_card.html.haml

@ -1,3 +1,4 @@
import escapeTextContentForBrowser from 'escape-html';
import loadPolyfills from '../mastodon/load_polyfills'; import loadPolyfills from '../mastodon/load_polyfills';
import ready from '../mastodon/ready'; import ready from '../mastodon/ready';
import { start } from '../mastodon/common'; import { start } from '../mastodon/common';
@ -133,9 +134,12 @@ function main() {
delegate(document, '#account_display_name', 'input', ({ target }) => { delegate(document, '#account_display_name', 'input', ({ target }) => {
const name = document.querySelector('.card .display-name strong'); const name = document.querySelector('.card .display-name strong');
if (name) { if (name) {
name.innerHTML = emojify(target.value); if (target.value) {
name.innerHTML = emojify(escapeTextContentForBrowser(target.value));
} else {
name.textContent = document.querySelector('#default_account_display_name').textContent;
}
} }
}); });

@ -9,6 +9,7 @@
= image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo' = image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo'
.display-name .display-name
%span{id: "default_account_display_name", style: "display:none;"}= account.username
%bdi %bdi
%strong.emojify.p-name= display_name(account, custom_emojify: true) %strong.emojify.p-name= display_name(account, custom_emojify: true)
%span %span

Loading…
Cancel
Save