Commit c7acca2a authored by rinpatch's avatar rinpatch

Mastodon API: Sanitize display names

Closes #1000
parent 3d764205
Pipeline #13433 passed with stages
in 8 minutes and 52 seconds
......@@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](
## [unreleased]
### Security
- Mastodon API: Fix display names not being sanitized
### Added
- Add a generic settings store for frontends / clients to use.
- Explicit addressing option for posting.
......@@ -66,6 +66,8 @@ def render("relationships.json", %{user: user, targets: targets}) do
defp do_render("account.json", %{user: user} = opts) do
display_name = HTML.strip_tags( || user.nickname)
image = User.avatar_url(user) |> MediaProxy.url()
header = User.banner_url(user) |> MediaProxy.url()
user_info = User.get_cached_user_info(user)
......@@ -96,7 +98,7 @@ defp do_render("account.json", %{user: user} = opts) do
id: to_string(,
username: username_from_nickname(user.nickname),
acct: user.nickname,
display_name: || user.nickname,
display_name: display_name,
locked: user_info.locked,
created_at: Utils.to_masto_date(user.inserted_at),
followers_count: user_info.follower_count,
......@@ -269,4 +269,10 @@ test "returns the settings store if the requesting user is the represented user
result = AccountView.render("account.json", %{user: user, for: user})
assert result.pleroma[:settings_store] == nil
test "sanitizes display names" do
user = insert(:user, name: "<marquee> username </marquee>")
result = AccountView.render("account.json", %{user: user})
refute result.display_name == "<marquee> username </marquee>"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment