Mastodon API: Sanitize display names

author rinpatch <rinpatch@sdf.org>

Tue, 18 Jun 2019 11:09:15 +0000 (14:09 +0300)

committer rinpatch <rinpatch@sdf.org>

Tue, 18 Jun 2019 11:12:11 +0000 (14:12 +0300)
author rinpatch <rinpatch@sdf.org>
Tue, 18 Jun 2019 11:09:15 +0000 (14:09 +0300)
committer rinpatch <rinpatch@sdf.org>
Tue, 18 Jun 2019 11:12:11 +0000 (14:12 +0300)
diff --git a/CHANGELOG.md b/CHANGELOG.md

index 591bcbe4c7b0a8164e9bfc43608d6d4be99aab02..5b7e5c9a14cd5af3ceace47975d001e4ea6aca5e 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
  
  ## [unreleased]
+### Security
+- Mastodon API: Fix display names not being sanitized
  ### Added
  - Add a generic settings store for frontends / clients to use.
  - Explicit addressing option for posting.
diff --git a/lib/pleroma/web/mastodon_api/views/account_view.ex b/lib/pleroma/web/mastodon_api/views/account_view.ex

index 72ae9bcda7a86f9dba4fa7c1391b42ca9c8c7d00..62c516f8eb97989538a1b3e3c3b0e050574ce50d 100644 (file)
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@@ -66,6 +66,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
    end
  
    defp do_render("account.json", %{user: user} = opts) do
+    display_name = HTML.strip_tags(user.name || user.nickname)
+
      image = User.avatar_url(user) |> MediaProxy.url()
      header = User.banner_url(user) |> MediaProxy.url()
      user_info = User.get_cached_user_info(user)
@@ -96,7 +98,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
        id: to_string(user.id),
        username: username_from_nickname(user.nickname),
        acct: user.nickname,
-      display_name: user.name || user.nickname,
+      display_name: display_name,
        locked: user_info.locked,
        created_at: Utils.to_masto_date(user.inserted_at),
        followers_count: user_info.follower_count,
diff --git a/test/web/mastodon_api/account_view_test.exs b/test/web/mastodon_api/account_view_test.exs

index 2ba7c050559f9820766b367b463f3e8d5f1dada7..de6aeec720a9fc229830ed02a48e8bd4b708fdee 100644 (file)
--- a/test/web/mastodon_api/account_view_test.exs
+++ b/test/web/mastodon_api/account_view_test.exs
@@ -269,4 +269,10 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
      result = AccountView.render("account.json", %{user: user, for: user})
      assert result.pleroma[:settings_store] == nil
    end
+
+  test "sanitizes display names" do
+    user = insert(:user, name: "<marquee> username </marquee>")
+    result = AccountView.render("account.json", %{user: user})
+    refute result.display_name == "<marquee> username </marquee>"
+  end
  end
author	rinpatch <rinpatch@sdf.org>
	Tue, 18 Jun 2019 11:09:15 +0000 (14:09 +0300)
committer	rinpatch <rinpatch@sdf.org>
	Tue, 18 Jun 2019 11:12:11 +0000 (14:12 +0300)
CHANGELOG.md		patch \| blob \| history
lib/pleroma/web/mastodon_api/views/account_view.ex		patch \| blob \| history
test/web/mastodon_api/account_view_test.exs		patch \| blob \| history