Escape HTML in profile name preview in profile settings (mastodon#9446)

pawelngei · hiyuki2578 · commit 2bc38ed1e434 · 2019-10-02T10:02:09.000+09:00
* fix non-escaped html in the profile settings

* provide a default profile text in case if there's no custom one

* update haml syntax

* simplify default profile name to username

* sanitize user-input html but display emojified icons
diff --git a/app/javascript/packs/public.js b/app/javascript/packs/public.js
@@ -1,3 +1,4 @@
+import escapeTextContentForBrowser from 'escape-html';
 import loadPolyfills from '../mastodon/load_polyfills';
 import ready from '../mastodon/ready';
 import { start } from '../mastodon/common';
@@ -133,9 +134,12 @@ function main() {
 
   delegate(document, '#account_display_name', 'input', ({ target }) => {
     const name = document.querySelector('.card .display-name strong');
-
     if (name) {
-      name.innerHTML = emojify(target.value);
+      if (target.value) {
+        name.innerHTML = emojify(escapeTextContentForBrowser(target.value));
+      } else {
+        name.textContent = document.querySelector('#default_account_display_name').textContent;
+      }
     }
   });
 
diff --git a/app/views/application/_card.html.haml b/app/views/application/_card.html.haml
@@ -9,6 +9,7 @@
         = image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo'
 
       .display-name
+        %span{id: "default_account_display_name", style: "display:none;"}= account.username
         %bdi
           %strong.emojify.p-name= display_name(account, custom_emojify: true)
         %span
