Escape HTML in profile name preview in profile settings #9446
Conversation
| @@ -9,6 +9,7 @@ | |||
| = image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo' | |||
|
|
|||
| .display-name | |||
| %span{:id=>"default_account_display_name", :style=>"display:none;"}= display_name(account, custom_emojify: true) | |||
There was a problem hiding this comment.
Use id: "" style, the => style is outdated
There was a problem hiding this comment.
since the default display name is always just the username, we should display that instead. this will give incorrect results for users trying to unset their display name
There was a problem hiding this comment.
Is the username anywhere else on the page for JS to fetch, or should we provide it some other way through Ruby?
app/javascript/packs/public.js
Outdated
| if (name) { | ||
| name.innerHTML = emojify(target.value); | ||
| if (target.value) { | ||
| name.textContent = emojify(target.value); |
There was a problem hiding this comment.
textContent = emojify doesn't work, since emojify returns img tags for custom emoji
There was a problem hiding this comment.
Okay, I think there may be a wider bug, but even on master I cannot see the emojis in this field. I checked out https://writing.exchange/ and https://chaos.social/ and it doesn't work there, either.
| @@ -9,6 +9,7 @@ | |||
| = image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo' | |||
|
|
|||
| .display-name | |||
| %span{:id=>"default_account_display_name", :style=>"display:none;"}= display_name(account, custom_emojify: true) | |||
There was a problem hiding this comment.
since the default display name is always just the username, we should display that instead. this will give incorrect results for users trying to unset their display name
| @@ -9,6 +9,7 @@ | |||
| = image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo' | |||
|
|
|||
| .display-name | |||
| %span{id: "default_account_display_name", style: "display:none;"}= display_name(account, custom_emojify: true) | |||
There was a problem hiding this comment.
since the default display name is always just the username, we should display that instead. this will give incorrect results for users trying to unset their display name
|
I've started looking at https://github.com/tootsuite/mastodon/blob/master/app/javascript/mastodon/features/emoji/emoji.js and there's something seriously wrong with it. Does it work for anyone? I tested it on my local instance, chaos.social and writing.exchange and it doesn't emojify the profile. From what I see the extremely convoluted I'd like to refactor that function, but first I'd like to know if it works for anybody, anywhere.. |
|
Okay, after several hours of debugging I have no idea how |
|
Managed to handle the emojified unicode, but I have no idea if this will work for custom icons as well or how to test them. |
* fix non-escaped html in the profile settings * provide a default profile text in case if there's no custom one * update haml syntax * simplify default profile name to username * sanitize user-input html but display emojified icons
Addresses #9343 . Additionally falls back to the default profile name if user deletes their custom one.
Right now the data about the default name is set in a
display: nonespan, but it can be provided to JavaScript in some other way.Personally I'd rewrite this view to React some day, but we should be good for now.