From c7acca2abb665e09ead548881746d42f2f4ce6e6 Mon Sep 17 00:00:00 2001 From: rinpatch Date: Tue, 18 Jun 2019 14:09:15 +0300 Subject: [PATCH] Mastodon API: Sanitize display names Closes #1000 --- CHANGELOG.md | 2 ++ lib/pleroma/web/mastodon_api/views/account_view.ex | 4 +++- test/web/mastodon_api/account_view_test.exs | 6 ++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 591bcbe4c..5b7e5c9a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [unreleased] +### Security +- Mastodon API: Fix display names not being sanitized ### Added - Add a generic settings store for frontends / clients to use. - Explicit addressing option for posting. diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex index 72ae9bcda..62c516f8e 100644 --- a/lib/pleroma/web/mastodon_api/views/account_view.ex +++ b/lib/pleroma/web/mastodon_api/views/account_view.ex @@ -66,6 +66,8 @@ def render("relationships.json", %{user: user, targets: targets}) do end defp do_render("account.json", %{user: user} = opts) do + display_name = HTML.strip_tags(user.name || user.nickname) + image = User.avatar_url(user) |> MediaProxy.url() header = User.banner_url(user) |> MediaProxy.url() user_info = User.get_cached_user_info(user) @@ -96,7 +98,7 @@ defp do_render("account.json", %{user: user} = opts) do id: to_string(user.id), username: username_from_nickname(user.nickname), acct: user.nickname, - display_name: user.name || user.nickname, + display_name: display_name, locked: user_info.locked, created_at: Utils.to_masto_date(user.inserted_at), followers_count: user_info.follower_count, diff --git a/test/web/mastodon_api/account_view_test.exs b/test/web/mastodon_api/account_view_test.exs index 2ba7c0505..de6aeec72 100644 --- a/test/web/mastodon_api/account_view_test.exs +++ b/test/web/mastodon_api/account_view_test.exs @@ -269,4 +269,10 @@ test "returns the settings store if the requesting user is the represented user result = AccountView.render("account.json", %{user: user, for: user}) assert result.pleroma[:settings_store] == nil end + + test "sanitizes display names" do + user = insert(:user, name: " username ") + result = AccountView.render("account.json", %{user: user}) + refute result.display_name == " username " + end end