Merge branch 'fix/escape-html' into 'develop'

Escape HTML from display name and subject fields Closes #724 See merge request pleroma/pleroma-fe!1052
author: feld <feld@feld.me> 2020-02-06 16:12:11 +0000
committer: feld <feld@feld.me> 2020-02-06 16:12:11 +0000
commit: 8fcb9c42aad9e623287c26244f079fc5028c6359 (patch)
tree: e7ef10e9b4f9c528206ca9e7c4431f2307f004d6 /src
parent: e73e235b4df4654abbfd315645ed7ad35e0f326e (diff)
parent: 746416207bd15f7883af18e359b84f0c4444a12a (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/services/entity_normalizer/entity_normalizer.service.js b/src/services/entity_normalizer/entity_normalizer.service.js
index a3d0b782..3116d211 100644
--- a/src/services/entity_normalizer/entity_normalizer.service.js
+++ b/src/services/entity_normalizer/entity_normalizer.service.js
@@ -1,3 +1,5 @@
+import escape from 'escape-html'
+
 const qvitterStatusType = (status) => {
   if (status.is_post_verb) {
     return 'status'
@@ -41,7 +43,7 @@ export const parseUser = (data) => {
     }
 
     output.name = data.display_name
-    output.name_html = addEmojis(data.display_name, data.emojis)
+    output.name_html = addEmojis(escape(data.display_name), data.emojis)
 
     output.description = data.note
     output.description_html = addEmojis(data.note, data.emojis)
@@ -256,7 +258,7 @@ export const parseStatus = (data) => {
       output.retweeted_status = parseStatus(data.reblog)
     }
 
-    output.summary_html = addEmojis(data.spoiler_text, data.emojis)
+    output.summary_html = addEmojis(escape(data.spoiler_text), data.emojis)
     output.external_url = data.url
     output.poll = data.poll
     output.pinned = data.pinned
author	feld <feld@feld.me>	2020-02-06 16:12:11 +0000
committer	feld <feld@feld.me>	2020-02-06 16:12:11 +0000
commit	8fcb9c42aad9e623287c26244f079fc5028c6359 (patch)
tree	e7ef10e9b4f9c528206ca9e7c4431f2307f004d6 /src
parent	e73e235b4df4654abbfd315645ed7ad35e0f326e (diff)
parent	746416207bd15f7883af18e359b84f0c4444a12a (diff)