Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escape HTML in profile name preview in profile settings #9446

Merged
merged 5 commits into from
Dec 7, 2018

Conversation

pawelngei
Copy link
Contributor

Addresses #9343 . Additionally falls back to the default profile name if user deletes their custom one.

Right now the data about the default name is set in a display: none span, but it can be provided to JavaScript in some other way.

Personally I'd rewrite this view to React some day, but we should be good for now.

@@ -9,6 +9,7 @@
= image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo'

.display-name
%span{:id=>"default_account_display_name", :style=>"display:none;"}= display_name(account, custom_emojify: true)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use id: "" style, the => style is outdated

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since the default display name is always just the username, we should display that instead. this will give incorrect results for users trying to unset their display name

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the username anywhere else on the page for JS to fetch, or should we provide it some other way through Ruby?

if (name) {
name.innerHTML = emojify(target.value);
if (target.value) {
name.textContent = emojify(target.value);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

textContent = emojify doesn't work, since emojify returns img tags for custom emoji

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I think there may be a wider bug, but even on master I cannot see the emojis in this field. I checked out https://writing.exchange/ and https://chaos.social/ and it doesn't work there, either.

@@ -9,6 +9,7 @@
= image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo'

.display-name
%span{:id=>"default_account_display_name", :style=>"display:none;"}= display_name(account, custom_emojify: true)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since the default display name is always just the username, we should display that instead. this will give incorrect results for users trying to unset their display name

@@ -9,6 +9,7 @@
= image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo'

.display-name
%span{id: "default_account_display_name", style: "display:none;"}= display_name(account, custom_emojify: true)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since the default display name is always just the username, we should display that instead. this will give incorrect results for users trying to unset their display name

@pawelngei
Copy link
Contributor Author

I've started looking at https://github.com/tootsuite/mastodon/blob/master/app/javascript/mastodon/features/emoji/emoji.js and there's something seriously wrong with it. Does it work for anyone? I tested it on my local instance, chaos.social and writing.exchange and it doesn't emojify the profile.

From what I see the extremely convoluted emojify function never gets past the first while.

I'd like to refactor that function, but first I'd like to know if it works for anybody, anywhere..

@pawelngei
Copy link
Contributor Author

Okay, after several hours of debugging I have no idea how emojify works and how to test custom emojis. I welcome you to try fixing that and testing what kind of escaping works properly.

@pawelngei
Copy link
Contributor Author

Managed to handle the emojified unicode, but I have no idea if this will work for custom icons as well or how to test them.

@Gargron Gargron merged commit 5c7f641 into mastodon:master Dec 7, 2018
hiyuki2578 pushed a commit to ProjectMyosotis/mastodon that referenced this pull request Oct 2, 2019
* fix non-escaped html in the profile settings

* provide a default profile text in case if there's no custom one

* update haml syntax

* simplify default profile name to username

* sanitize user-input html but display emojified icons
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants