In January 2020 Pleroma backend stopped escaping HTML in display names
and passed that responsibility on frontends, compliant with Mastodon's
version of Mastodon API [1]. Pleroma-FE was subsequently modified to
escape the display name [2], however only in the "name_html" field. This
was fine however, since that's what the code rendering display names used.
However, 2 months ago an MR [3] refactoring the way the frontend does emoji
and mention rendering was merged. One of the things it did was moving away
from doing emoji rendering in the entity normalizer and use the unescaped
'user.name' in the rendering code, resulting in HTML injection being
possible again.
This patch escapes 'user.name' as well, as far as I can tell there is no
actual use for an unescaped display name in frontend code, especially
when it comes from MastoAPI, where it is not supposed to be HTML.
[1]: https://git.pleroma.social/pleroma/pleroma-fe/-/merge_requests/1052
[2]: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/2167
[3]: https://git.pleroma.social/pleroma/pleroma-fe/-/merge_requests/1392
* origin/develop: (119 commits)
Apply 1 suggestion(s) to 1 file(s)
Make it possible to localize user highlight options
remove shoutbox test hacks
fix shoutbox header, use custom scroll-to-bottom system, remove vue-chat-scroll, temporarily add chat test hack
update changelog with 2.3.0
change icons around
Translated using Weblate (Japanese)
Update timeline_quick_settings.js
add screen_name_ui to tests
separate screen_name and screen_name_ui with decoded punycode
Update CHANGELOG.md
add basic validation for statusless status notifications
changelog mention
fix chat unread badge
update shelljs to get rid of warnings on build
save a few characters
focus input in emoji picker and react picker
fix vue warnings
add only to wording
basic loggedin check for reply filtering
...
feld