Sanitize+truncate display names on registration+change. For #2527

This commit is contained in:
Gabe Kangas 2022-12-28 21:30:06 -08:00
parent 51c804f6ae
commit 0c03773c4c
No known key found for this signature in database
GPG Key ID: 4345B2060657F330
4 changed files with 68 additions and 5 deletions

View File

@ -4,9 +4,11 @@ import (
"encoding/json"
"net/http"
"github.com/owncast/owncast/config"
"github.com/owncast/owncast/core/chat"
"github.com/owncast/owncast/core/user"
"github.com/owncast/owncast/router/middleware"
"github.com/owncast/owncast/utils"
log "github.com/sirupsen/logrus"
)
@ -76,7 +78,8 @@ func RegisterAnonymousChatUser(w http.ResponseWriter, r *http.Request) {
request.DisplayName = r.Header.Get("X-Forwarded-User")
}
newUser, accessToken, err := user.CreateAnonymousUser(request.DisplayName)
proposedNewDisplayName := utils.MakeSafeStringOfLength(request.DisplayName, config.MaxChatDisplayNameLength)
newUser, accessToken, err := user.CreateAnonymousUser(proposedNewDisplayName)
if err != nil {
WriteSimpleResponse(w, false, err.Error())
return
@ -85,7 +88,7 @@ func RegisterAnonymousChatUser(w http.ResponseWriter, r *http.Request) {
response := registerAnonymousUserResponse{
ID: newUser.ID,
AccessToken: accessToken,
DisplayName: newUser.DisplayName,
DisplayName: proposedNewDisplayName,
}
w.Header().Set("Content-Type", "application/json")

View File

@ -11,6 +11,7 @@ import (
"github.com/owncast/owncast/core/data"
"github.com/owncast/owncast/core/user"
"github.com/owncast/owncast/core/webhooks"
"github.com/owncast/owncast/utils"
log "github.com/sirupsen/logrus"
)
@ -27,9 +28,7 @@ func (s *Server) userNameChanged(eventData chatClientEvent) {
blocklist := data.GetForbiddenUsernameList()
// Names have a max length
if len(proposedUsername) > config.MaxChatDisplayNameLength {
proposedUsername = proposedUsername[:config.MaxChatDisplayNameLength]
}
proposedUsername = utils.MakeSafeStringOfLength(proposedUsername, config.MaxChatDisplayNameLength)
for _, blockedName := range blocklist {
normalizedName := strings.TrimSpace(blockedName)

29
utils/strings.go Normal file
View File

@ -0,0 +1,29 @@
package utils
import (
"strings"
"github.com/microcosm-cc/bluemonday"
)
// StripHTML will strip HTML tags from a string.
func StripHTML(s string) string {
p := bluemonday.NewPolicy()
return p.Sanitize(s)
}
// MakeSafeStringOfLength will take a string and strip HTML tags,
// trim whitespace, and limit the length.
func MakeSafeStringOfLength(s string, length int) string {
newString := s
newString = StripHTML(newString)
if len(newString) > length {
newString = newString[:length]
}
newString = strings.ReplaceAll(newString, "\r", "")
newString = strings.TrimSpace(newString)
return newString
}

32
utils/strings_test.go Normal file
View File

@ -0,0 +1,32 @@
package utils
import (
"fmt"
"testing"
)
// TestStripHTML tests the StripHTML function.
func TestStripHTML(t *testing.T) {
requestedString := `<p><img src="img.png"/>Some text</p>`
expectedResult := `Some text`
result := StripHTML(requestedString)
fmt.Println(result)
if result != expectedResult {
t.Errorf("Expected %s, got %s", expectedResult, result)
}
}
// TestSafeString tests the TestSafeString function.
func TestSafeString(t *testing.T) {
requestedString := `<p><img src="img.png"/> Some text blah blah blah blah blah blahb albh</p>`
expectedResult := `Some te`
result := MakeSafeStringOfLength(requestedString, 10)
fmt.Println(result)
if result != expectedResult {
t.Errorf("Expected %s, got %s", expectedResult, result)
}
}