From 5c7f641565e8022c3d8d704e49b510a79e5f16ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Ngei?= <github@alxd.org>
Date: Fri, 7 Dec 2018 16:42:22 +0100
Subject: [PATCH] Escape HTML in profile name preview in profile settings
(#9446)
* fix non-escaped html in the profile settings
* provide a default profile text in case if there's no custom one
* update haml syntax
* simplify default profile name to username
* sanitize user-input html but display emojified icons
---
app/javascript/packs/public.js | 8 ++++++--
app/views/application/_card.html.haml | 1 +
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/app/javascript/packs/public.js b/app/javascript/packs/public.js
index 36b1fd26b..6ba37c049 100644
--- a/app/javascript/packs/public.js
+++ b/app/javascript/packs/public.js
@@ -1,3 +1,4 @@
+import escapeTextContentForBrowser from 'escape-html';
import loadPolyfills from '../mastodon/load_polyfills';
import ready from '../mastodon/ready';
import { start } from '../mastodon/common';
@@ -133,9 +134,12 @@ function main() {
delegate(document, '#account_display_name', 'input', ({ target }) => {
const name = document.querySelector('.card .display-name strong');
-
if (name) {
- name.innerHTML = emojify(target.value);
+ if (target.value) {
+ name.innerHTML = emojify(escapeTextContentForBrowser(target.value));
+ } else {
+ name.textContent = document.querySelector('#default_account_display_name').textContent;
+ }
}
});
diff --git a/app/views/application/_card.html.haml b/app/views/application/_card.html.haml
index 9cf8f8ff2..e6059b035 100644
--- a/app/views/application/_card.html.haml
+++ b/app/views/application/_card.html.haml
@@ -9,6 +9,7 @@
= image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo'
.display-name
+ %span{id: "default_account_display_name", style: "display:none;"}= account.username
%bdi
%strong.emojify.p-name= display_name(account, custom_emojify: true)
%span