From: Alex Gleason <alex@alexgleason.me>
Date: Fri, 17 Jul 2020 01:25:53 +0000 (-0500)
Subject: Sanitize `reason` param in POST /api/v1/accounts
X-Git-Url: https://git.squeep.com/?a=commitdiff_plain;h=5e745567031e87ee0854dca8d10065449af27d9c;p=akkoma

Sanitize `reason` param in POST /api/v1/accounts
---

diff --git a/lib/pleroma/web/twitter_api/twitter_api.ex b/lib/pleroma/web/twitter_api/twitter_api.ex
index 2294d9d0d..424a705dd 100644
--- a/lib/pleroma/web/twitter_api/twitter_api.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api.ex
@@ -7,6 +7,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
 
   alias Pleroma.Emails.Mailer
   alias Pleroma.Emails.UserEmail
+  alias Pleroma.HTML
   alias Pleroma.Repo
   alias Pleroma.User
   alias Pleroma.UserInviteToken
@@ -19,7 +20,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
       |> Map.put(:nickname, params[:username])
       |> Map.put(:name, Map.get(params, :fullname, params[:username]))
       |> Map.put(:password_confirmation, params[:password])
-      |> Map.put(:registration_reason, params[:reason])
+      |> Map.put(:registration_reason, HTML.strip_tags(params[:reason]))
 
     if Pleroma.Config.get([:instance, :registrations_open]) do
       create_user(params, opts)