logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma 
commit: a392ad52ada6d7482369409ed2cd1eff6c87ef6f
parent: 3d76420512111006f678f820d1a20f866b07bdb9
Author: lain <lain@soykaf.club>
Date:   Tue, 18 Jun 2019 20:47:07 +0000

Merge branch 'fix/mastoapi-sanitize-display-name' into 'develop'

Mastodon API: Sanitize display names

Closes #1000

See merge request pleroma/pleroma!1299

Diffstat:


MCHANGELOG.md2++


Mlib/pleroma/web/mastodon_api/views/account_view.ex4+++-


Mtest/web/mastodon_api/account_view_test.exs6++++++


3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [unreleased]
+### Security
+- Mastodon API: Fix display names not being sanitized
 ### Added
 - Add a generic settings store for frontends / clients to use.
 - Explicit addressing option for posting.
diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex
@@ -66,6 +66,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
   end
 
   defp do_render("account.json", %{user: user} = opts) do
+    display_name = HTML.strip_tags(user.name || user.nickname)
+
     image = User.avatar_url(user) |> MediaProxy.url()
     header = User.banner_url(user) |> MediaProxy.url()
     user_info = User.get_cached_user_info(user)
@@ -96,7 +98,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
       id: to_string(user.id),
       username: username_from_nickname(user.nickname),
       acct: user.nickname,
-      display_name: user.name || user.nickname,
+      display_name: display_name,
       locked: user_info.locked,
       created_at: Utils.to_masto_date(user.inserted_at),
       followers_count: user_info.follower_count,
diff --git a/test/web/mastodon_api/account_view_test.exs b/test/web/mastodon_api/account_view_test.exs
@@ -269,4 +269,10 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
     result = AccountView.render("account.json", %{user: user, for: user})
     assert result.pleroma[:settings_store] == nil
   end
+
+  test "sanitizes display names" do
+    user = insert(:user, name: "<marquee> username </marquee>")
+    result = AccountView.render("account.json", %{user: user})
+    refute result.display_name == "<marquee> username </marquee>"
+  end
 end