Escape HTML in profile name preview in profile settings (#9446)

* fix non-escaped html in the profile settings

* provide a default profile text in case if there's no custom one

* update haml syntax

* simplify default profile name to username

* sanitize user-input html but display emojified icons
This commit is contained in:
Paweł Ngei 2018-12-07 16:42:22 +01:00 committed by Eugen Rochko
parent d61410c306
commit 03289a4d14
2 changed files with 7 additions and 2 deletions

View file

@ -1,3 +1,4 @@
import escapeTextContentForBrowser from 'escape-html';
import loadPolyfills from '../mastodon/load_polyfills';
import ready from '../mastodon/ready';
import { start } from '../mastodon/common';
@ -133,9 +134,12 @@ function main() {
delegate(document, '#account_display_name', 'input', ({ target }) => {
const name = document.querySelector('.card .display-name strong');
if (name) {
name.innerHTML = emojify(target.value);
if (target.value) {
name.innerHTML = emojify(escapeTextContentForBrowser(target.value));
} else {
name.textContent = document.querySelector('#default_account_display_name').textContent;
}
}
});

View file

@ -9,6 +9,7 @@
= image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo'
.display-name
%span{id: "default_account_display_name", style: "display:none;"}= account.username
%bdi
%strong.emojify.p-name= display_name(account, custom_emojify: true)
%span