Escape HTML in profile name preview in profile settings (#9446)

* fix non-escaped html in the profile settings * provide a default profile text in case if there's no custom one * update haml syntax * simplify default profile name to username * sanitize user-input html but display emojified icons

Escape HTML in profile name preview in profile settings (#9446)
5c7f6415 · Paweł Ngei · Eugen Rochko · d3547fa0 · 5c7f6415 · 5c7f6415
--- a/app/javascript/packs/public.js
+++ b/app/javascript/packs/public.js
+import escapeTextContentForBrowser from 'escape-html';
 import loadPolyfills from '../mastodon/load_polyfills';
 import ready from '../mastodon/ready';
 import { start } from '../mastodon/common';
@@ -133,9 +134,12 @@ function main() {

  delegate(document, '#account_display_name', 'input', ({ target }) => {
    const name = document.querySelector('.card .display-name strong');
-
    if (name) {
-      name.innerHTML = emojify(target.value);
+      if (target.value) {
+        name.innerHTML = emojify(escapeTextContentForBrowser(target.value));
+      } else {
+        name.textContent = document.querySelector('#default_account_display_name').textContent;
+      }
    }
  });


--- a/app/views/application/_card.html.haml
+++ b/app/views/application/_card.html.haml
@@ -9,6 +9,7 @@
        = image_tag account.avatar.url, alt: '', width: 48, height: 48, class: 'u-photo'

      .display-name
+        %span{id: "default_account_display_name", style: "display:none;"}= account.username
        %bdi
          %strong.emojify.p-name= display_name(account, custom_emojify: true)
        %span