1. 03 Dec, 2021 2 commits
  2. 16 Nov, 2021 2 commits
    • HJ's avatar
      Merge branch 'fix/escape-display-name' into 'develop' · ea0887a1
      HJ authored
      entity_normalizer: Escape name when parsing user
      
      See merge request !1415
      ea0887a1
    • rinpatch's avatar
      entity_normalizer: Escape name when parsing user · d36b45ad
      rinpatch authored
      In January 2020 Pleroma backend stopped escaping HTML in display names
      and passed that responsibility on frontends, compliant with Mastodon's
      version of Mastodon API [1]. Pleroma-FE was subsequently modified to
      escape the display name [2], however only in the "name_html" field. This
      was fine however, since that's what the code rendering display names used.
      
      However, 2 months ago an MR [3] refactoring the way the frontend does emoji
      and mention rendering was merged. One of the things it did was moving away
      from doing emoji rendering in the entity normalizer and use the unescaped
      'user.name' in the rendering code, resulting in HTML injection being
      possible again.
      
      This patch escapes 'user.name' as well, as far as I can tell there is no
      actual use for an unescaped display name in frontend code, especially
      when it comes from MastoAPI, where it is not supposed to be HTML.
      
      [1]: !1052
      [2]: pleroma!2167
      [3]: !1392
      d36b45ad
  3. 09 Sep, 2021 3 commits
  4. 07 Sep, 2021 3 commits
  5. 05 Sep, 2021 5 commits
  6. 02 Sep, 2021 2 commits
  7. 30 Aug, 2021 23 commits