Skip to content
Snippets Groups Projects
Select Git revision
  • renovate/ruffle-rs-ruffle-0.x
  • renovate/eslint-plugin-vue-10.x
  • renovate/cropperjs-2.x
  • renovate/chromedriver-134.x
  • renovate/nightwatch-3.x
  • renovate/vitest-monorepo
  • renovate/vite-6.x-lockfile
  • weblate
  • develop default protected
  • renovate/playwright-monorepo
  • renovate/chai-5.x
  • renovate/node-22.x
  • audio-viz
  • emoji-pack-upload
  • tusooa/1222-in-reply-to
  • separate-admin-build
  • master protected
  • release/2.7.x
  • appearance-tab
  • cherry-pick-631c2532
  • 2.7.1
  • 2.7.0
  • 2.6.1
  • 2.6.0
  • 2.5.0
  • 2.4.2
  • 2.4.0
  • 2.3.0
  • 2.2.3
  • 2.2.2
  • 2.2.1
  • 2.2.0
  • 2.1.2
  • 2.1.1
  • 2.1.0
  • 2.0.5
  • 2.0.3
  • 2.0.2
  • 0.9.999
  • 0.9.99
40 results
Search by author
  • Any Author
  • Duponin Duponin Duponin
  • HJ HJ hj
  • Haelwenn Haelwenn lanodan
  • Sean King Sean King seanking
  • feld feld feld
  • href href href
  • lain lain lambadalambda
  • mkljczk mkljczk
  • **** project_1_bot_009dbc9f905582badff289f06f46865f
  • renovate-bot renovate-bot
  • tusooa tusooa tusooa
  • vaartis vaartis vaartis
  • weblate bot weblate-bot
13 authors
  1. Jan 12, 2023
  3. Dec 24, 2022
  5. Sep 18, 2022
  7. Jul 31, 2022
    • HJ's avatar
      --fix · fddb531e
      HJ authored
      fddb531e
  9. May 22, 2022
  11. May 21, 2022
  13. Apr 30, 2022
  15. Feb 22, 2022
  17. Nov 16, 2021
    • rinpatch's avatar
      entity_normalizer: Escape name when parsing user · d36b45ad
      rinpatch authored 
      In January 2020 Pleroma backend stopped escaping HTML in display names
and passed that responsibility on frontends, compliant with Mastodon's
version of Mastodon API [1]. Pleroma-FE was subsequently modified to
escape the display name [2], however only in the "name_html" field. This
was fine however, since that's what the code rendering display names used.

However, 2 months ago an MR [3] refactoring the way the frontend does emoji
and mention rendering was merged. One of the things it did was moving away
from doing emoji rendering in the entity normalizer and use the unescaped
'user.name' in the rendering code, resulting in HTML injection being
possible again.

This patch escapes 'user.name' as well, as far as I can tell there is no
actual use for an unescaped display name in frontend code, especially
when it comes from MastoAPI, where it is not supposed to be HTML.

[1]: !1052
[2]: pleroma!2167
[3]: !1392
      d36b45ad
  19. Dec 02, 2020
  21. Nov 18, 2020
  23. Oct 20, 2020
  25. Jul 08, 2020
  27. Jun 21, 2020
  29. Jun 19, 2020
  31. Jun 09, 2020
  33. May 25, 2020
  35. May 10, 2020
  37. May 03, 2020