Escape HTML in profile name preview in profile settings (#9446)
* fix non-escaped html in the profile settings * provide a default profile text in case if there's no custom one * update haml syntax * simplify default profile name to username * sanitize user-input html but display emojified iconsgh/stable
parent
d3547fa005
commit
5c7f641565
|
@ -1,3 +1,4 @@
|
||||||
|
import escapeTextContentForBrowser from 'escape-html';
|
||||||
import loadPolyfills from '../mastodon/load_polyfills';
|
import loadPolyfills from '../mastodon/load_polyfills';
|
||||||
import ready from '../mastodon/ready';
|
import ready from '../mastodon/ready';
|
||||||
import { start } from '../mastodon/common';
|
import { start } from '../mastodon/common';
|
||||||
|
@ -133,9 +134,12 @@ function main() {
|
||||||
|
|
||||||
delegate(document, '#account_display_name', 'input', ({ target }) => {
|
delegate(document, '#account_display_name', 'input', ({ target }) => {
|
||||||
const name = document.querySelector('.card .display-name strong');
|
const name = document.querySelector('.card .display-name strong');
|
||||||
|
|
||||||
if (name) {
|
if (name) {
|
||||||
name.innerHTML = emojify(target.value);
|
if (target.value) {
|
||||||
|
name.innerHTML = emojify(escapeTextContentForBrowser(target.value));
|
||||||
|
} else {
|
||||||
|
name.textContent = document.querySelector('#default_account_display_name').textContent;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
= image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo'
|
= image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo'
|
||||||
|
|
||||||
.display-name
|
.display-name
|
||||||
|
%span{id: "default_account_display_name", style: "display:none;"}= account.username
|
||||||
%bdi
|
%bdi
|
||||||
%strong.emojify.p-name= display_name(account, custom_emojify: true)
|
%strong.emojify.p-name= display_name(account, custom_emojify: true)
|
||||||
%span
|
%span
|
||||||
|
|
Reference in New Issue