diff options
author | Paweł Ngei <github@alxd.org> | 2018-12-07 16:42:22 +0100 |
---|---|---|
committer | Eugen Rochko <eugen@zeonfederated.com> | 2018-12-07 16:42:22 +0100 |
commit | 5c7f641565e8022c3d8d704e49b510a79e5f16ad (patch) | |
tree | 6e7bbe51c22eb73084007e2d175234bc8c9ccdee /app | |
parent | d3547fa00580a03d1687316d56c32f407c0d9fe6 (diff) |
Escape HTML in profile name preview in profile settings (#9446)
* fix non-escaped html in the profile settings * provide a default profile text in case if there's no custom one * update haml syntax * simplify default profile name to username * sanitize user-input html but display emojified icons
Diffstat (limited to 'app')
-rw-r--r-- | app/javascript/packs/public.js | 8 | ||||
-rw-r--r-- | app/views/application/_card.html.haml | 1 |
2 files changed, 7 insertions, 2 deletions
diff --git a/app/javascript/packs/public.js b/app/javascript/packs/public.js index 36b1fd26b..6ba37c049 100644 --- a/app/javascript/packs/public.js +++ b/app/javascript/packs/public.js @@ -1,3 +1,4 @@ +import escapeTextContentForBrowser from 'escape-html'; import loadPolyfills from '../mastodon/load_polyfills'; import ready from '../mastodon/ready'; import { start } from '../mastodon/common'; @@ -133,9 +134,12 @@ function main() { delegate(document, '#account_display_name', 'input', ({ target }) => { const name = document.querySelector('.card .display-name strong'); - if (name) { - name.innerHTML = emojify(target.value); + if (target.value) { + name.innerHTML = emojify(escapeTextContentForBrowser(target.value)); + } else { + name.textContent = document.querySelector('#default_account_display_name').textContent; + } } }); diff --git a/app/views/application/_card.html.haml b/app/views/application/_card.html.haml index 9cf8f8ff2..e6059b035 100644 --- a/app/views/application/_card.html.haml +++ b/app/views/application/_card.html.haml @@ -9,6 +9,7 @@ = image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo' .display-name + %span{id: "default_account_display_name", style: "display:none;"}= account.username %bdi %strong.emojify.p-name= display_name(account, custom_emojify: true) %span |