-
-
Notifications
You must be signed in to change notification settings - Fork 7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape HTML in profile name preview in profile settings #9446
Escape HTML in profile name preview in profile settings #9446
Conversation
@@ -9,6 +9,7 @@ | |||
= image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo' | |||
|
|||
.display-name | |||
%span{:id=>"default_account_display_name", :style=>"display:none;"}= display_name(account, custom_emojify: true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use id: ""
style, the =>
style is outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since the default display name is always just the username, we should display that instead. this will give incorrect results for users trying to unset their display name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the username anywhere else on the page for JS to fetch, or should we provide it some other way through Ruby?
app/javascript/packs/public.js
Outdated
if (name) { | ||
name.innerHTML = emojify(target.value); | ||
if (target.value) { | ||
name.textContent = emojify(target.value); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
textContent = emojify doesn't work, since emojify returns img tags for custom emoji
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, I think there may be a wider bug, but even on master
I cannot see the emojis in this field. I checked out https://writing.exchange/ and https://chaos.social/ and it doesn't work there, either.
@@ -9,6 +9,7 @@ | |||
= image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo' | |||
|
|||
.display-name | |||
%span{:id=>"default_account_display_name", :style=>"display:none;"}= display_name(account, custom_emojify: true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since the default display name is always just the username, we should display that instead. this will give incorrect results for users trying to unset their display name
@@ -9,6 +9,7 @@ | |||
= image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo' | |||
|
|||
.display-name | |||
%span{id: "default_account_display_name", style: "display:none;"}= display_name(account, custom_emojify: true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since the default display name is always just the username, we should display that instead. this will give incorrect results for users trying to unset their display name
I've started looking at https://github.com/tootsuite/mastodon/blob/master/app/javascript/mastodon/features/emoji/emoji.js and there's something seriously wrong with it. Does it work for anyone? I tested it on my local instance, chaos.social and writing.exchange and it doesn't emojify the profile. From what I see the extremely convoluted I'd like to refactor that function, but first I'd like to know if it works for anybody, anywhere.. |
Okay, after several hours of debugging I have no idea how |
Managed to handle the emojified unicode, but I have no idea if this will work for custom icons as well or how to test them. |
* fix non-escaped html in the profile settings * provide a default profile text in case if there's no custom one * update haml syntax * simplify default profile name to username * sanitize user-input html but display emojified icons
Addresses #9343 . Additionally falls back to the default profile name if user deletes their custom one.
Right now the data about the default name is set in a
display: none
span, but it can be provided to JavaScript in some other way.Personally I'd rewrite this view to React some day, but we should be good for now.