pleroma-fe/src
rinpatch d36b45ad43 entity_normalizer: Escape name when parsing user
In January 2020 Pleroma backend stopped escaping HTML in display names
and passed that responsibility on frontends, compliant with Mastodon's
version of Mastodon API [1]. Pleroma-FE was subsequently modified to
escape the display name [2], however only in the "name_html" field. This
was fine however, since that's what the code rendering display names used.

However, 2 months ago an MR [3] refactoring the way the frontend does emoji
and mention rendering was merged. One of the things it did was moving away
from doing emoji rendering in the entity normalizer and use the unescaped
'user.name' in the rendering code, resulting in HTML injection being
possible again.

This patch escapes 'user.name' as well, as far as I can tell there is no
actual use for an unescaped display name in frontend code, especially
when it comes from MastoAPI, where it is not supposed to be HTML.

[1]: https://git.pleroma.social/pleroma/pleroma-fe/-/merge_requests/1052
[2]: https://git.pleroma.social/pleroma/pleroma/-/merge_requests/2167
[3]: https://git.pleroma.social/pleroma/pleroma-fe/-/merge_requests/1392
2021-11-16 20:35:23 +03:00
..
assets Use an existing image served by backend instead 2019-02-03 13:30:54 -05:00
boot Use old value to discover if Shoutbox is available until we ship a new release that's declaring the feature as "shout" 2021-06-01 16:48:40 -05:00
components entity_normalizer: Escape name when parsing user 2021-11-16 20:35:23 +03:00
directives refactor using Set 2019-10-21 20:57:36 -04:00
hocs make with-load-more not use computeds when they don't work for it 2020-12-28 17:08:15 +02:00
i18n Merge branch 'showMobileNewPost' into 'develop' 2021-09-09 12:19:53 +00:00
lib Linting + docs 2020-06-13 11:53:16 +02:00
modules Merge branch 'showMobileNewPost' into 'develop' 2021-09-09 12:19:53 +00:00
services entity_normalizer: Escape name when parsing user 2021-11-16 20:35:23 +03:00
_variables.scss Add Chats 2020-07-08 15:21:31 +03:00
App.js Merge branch 'develop' into 'showMobileNewPost' 2021-06-15 21:49:33 +00:00
App.scss moved transparent button styles into button itself 2021-06-08 10:14:49 +03:00
App.vue Merge branch 'develop' into 'showMobileNewPost' 2021-06-15 21:49:33 +00:00
main.js Rename legacy PleromaFE Chat functionality to "Shout" 2021-06-01 12:51:20 -05:00
sw.js ServiceWorker: Use clearer variable names 2020-06-19 15:24:06 +02:00