- Nov 16, 2021
-
-
rinpatch authoredIn January 2020 Pleroma backend stopped escaping HTML in display names and passed that responsibility on frontends, compliant with Mastodon's version of Mastodon API [1]. Pleroma-FE was subsequently modified to escape the display name [2], however only in the "name_html" field. This was fine however, since that's what the code rendering display names used. However, 2 months ago an MR [3] refactoring the way the frontend does emoji and mention rendering was merged. One of the things it did was moving away from doing emoji rendering in the entity normalizer and use the unescaped 'user.name' in the rendering code, resulting in HTML injection being possible again. This patch escapes 'user.name' as well, as far as I can tell there is no actual use for an unescaped display name in frontend code, especially when it comes from MastoAPI, where it is not supposed to be HTML. [1]: pleroma/pleroma-fe!1052 [2]: pleroma/pleroma!2167 [3]: pleroma/pleroma-fe!1392
-
- Aug 14, 2021
-
-
HJ authored
-
- Aug 13, 2021
- Jun 18, 2021
-
-
HJ authored
-
- Jun 13, 2021
-
-
HJ authored
handling of broken cases
-
- Jun 12, 2021
- Jun 11, 2021
- Jun 10, 2021
-
-
HJ authored
-
- Jun 07, 2021
- Jun 02, 2021
- Apr 21, 2021
-
-
Matilde Park authoredPrevents a crash on undefined screen name cases.
-
- Apr 11, 2021
- Apr 09, 2021
-
-
HJ authored
-
- Mar 09, 2021
-
-
HJ authored
-
- Mar 08, 2021
- Feb 26, 2021
-
-
Shpuld Shpludson authored -
Shpuld Shpludson authored
-
- Feb 17, 2021
-
-
Shpuld Shpludson authored
-
- Jan 28, 2021
-
-
HJ authored
-
- Jan 23, 2021
-
-
HJ authored
-
- Jan 21, 2021
-
-
rinpatch authored
This seems more intuitive to me and is what I've seen in most other language pickers.
-
- Jan 20, 2021
-
-
- Jan 19, 2021
-
-
feld authored
-
- Jan 18, 2021
-
-
feld authored
-
- Jan 13, 2021
-
-
HJ authored
-
