Sanitize `reason` param in POST /api/v1/accounts

author Alex Gleason <alex@alexgleason.me>

Fri, 17 Jul 2020 01:25:53 +0000 (20:25 -0500)

committer Alex Gleason <alex@alexgleason.me>

Fri, 17 Jul 2020 01:25:53 +0000 (20:25 -0500)
author Alex Gleason <alex@alexgleason.me>
Fri, 17 Jul 2020 01:25:53 +0000 (20:25 -0500)
committer Alex Gleason <alex@alexgleason.me>
Fri, 17 Jul 2020 01:25:53 +0000 (20:25 -0500)
diff --git a/lib/pleroma/web/twitter_api/twitter_api.ex b/lib/pleroma/web/twitter_api/twitter_api.ex

index 2294d9d0dd82f800cc9e88c383d6a19beee3c330..424a705ddaa679196a169948705409e1b8ad48d6 100644 (file)
--- a/lib/pleroma/web/twitter_api/twitter_api.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api.ex
@@ -7,6 +7,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
  
    alias Pleroma.Emails.Mailer
    alias Pleroma.Emails.UserEmail
+  alias Pleroma.HTML
    alias Pleroma.Repo
    alias Pleroma.User
    alias Pleroma.UserInviteToken
@@ -19,7 +20,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
        |> Map.put(:nickname, params[:username])
        |> Map.put(:name, Map.get(params, :fullname, params[:username]))
        |> Map.put(:password_confirmation, params[:password])
-      |> Map.put(:registration_reason, params[:reason])
+      |> Map.put(:registration_reason, HTML.strip_tags(params[:reason]))
  
      if Pleroma.Config.get([:instance, :registrations_open]) do
        create_user(params, opts)
author	Alex Gleason <alex@alexgleason.me>
	Fri, 17 Jul 2020 01:25:53 +0000 (20:25 -0500)
committer	Alex Gleason <alex@alexgleason.me>
	Fri, 17 Jul 2020 01:25:53 +0000 (20:25 -0500)