Sanitize+truncate display names on registration+change. For #2527
This commit is contained in:
parent
51c804f6ae
commit
0c03773c4c
@ -4,9 +4,11 @@ import (
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
|
||||
"github.com/owncast/owncast/config"
|
||||
"github.com/owncast/owncast/core/chat"
|
||||
"github.com/owncast/owncast/core/user"
|
||||
"github.com/owncast/owncast/router/middleware"
|
||||
"github.com/owncast/owncast/utils"
|
||||
log "github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
@ -76,7 +78,8 @@ func RegisterAnonymousChatUser(w http.ResponseWriter, r *http.Request) {
|
||||
request.DisplayName = r.Header.Get("X-Forwarded-User")
|
||||
}
|
||||
|
||||
newUser, accessToken, err := user.CreateAnonymousUser(request.DisplayName)
|
||||
proposedNewDisplayName := utils.MakeSafeStringOfLength(request.DisplayName, config.MaxChatDisplayNameLength)
|
||||
newUser, accessToken, err := user.CreateAnonymousUser(proposedNewDisplayName)
|
||||
if err != nil {
|
||||
WriteSimpleResponse(w, false, err.Error())
|
||||
return
|
||||
@ -85,7 +88,7 @@ func RegisterAnonymousChatUser(w http.ResponseWriter, r *http.Request) {
|
||||
response := registerAnonymousUserResponse{
|
||||
ID: newUser.ID,
|
||||
AccessToken: accessToken,
|
||||
DisplayName: newUser.DisplayName,
|
||||
DisplayName: proposedNewDisplayName,
|
||||
}
|
||||
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
|
@ -11,6 +11,7 @@ import (
|
||||
"github.com/owncast/owncast/core/data"
|
||||
"github.com/owncast/owncast/core/user"
|
||||
"github.com/owncast/owncast/core/webhooks"
|
||||
"github.com/owncast/owncast/utils"
|
||||
log "github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
@ -27,9 +28,7 @@ func (s *Server) userNameChanged(eventData chatClientEvent) {
|
||||
blocklist := data.GetForbiddenUsernameList()
|
||||
|
||||
// Names have a max length
|
||||
if len(proposedUsername) > config.MaxChatDisplayNameLength {
|
||||
proposedUsername = proposedUsername[:config.MaxChatDisplayNameLength]
|
||||
}
|
||||
proposedUsername = utils.MakeSafeStringOfLength(proposedUsername, config.MaxChatDisplayNameLength)
|
||||
|
||||
for _, blockedName := range blocklist {
|
||||
normalizedName := strings.TrimSpace(blockedName)
|
||||
|
29
utils/strings.go
Normal file
29
utils/strings.go
Normal file
@ -0,0 +1,29 @@
|
||||
package utils
|
||||
|
||||
import (
|
||||
"strings"
|
||||
|
||||
"github.com/microcosm-cc/bluemonday"
|
||||
)
|
||||
|
||||
// StripHTML will strip HTML tags from a string.
|
||||
func StripHTML(s string) string {
|
||||
p := bluemonday.NewPolicy()
|
||||
return p.Sanitize(s)
|
||||
}
|
||||
|
||||
// MakeSafeStringOfLength will take a string and strip HTML tags,
|
||||
// trim whitespace, and limit the length.
|
||||
func MakeSafeStringOfLength(s string, length int) string {
|
||||
newString := s
|
||||
newString = StripHTML(newString)
|
||||
|
||||
if len(newString) > length {
|
||||
newString = newString[:length]
|
||||
}
|
||||
|
||||
newString = strings.ReplaceAll(newString, "\r", "")
|
||||
newString = strings.TrimSpace(newString)
|
||||
|
||||
return newString
|
||||
}
|
32
utils/strings_test.go
Normal file
32
utils/strings_test.go
Normal file
@ -0,0 +1,32 @@
|
||||
package utils
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"testing"
|
||||
)
|
||||
|
||||
// TestStripHTML tests the StripHTML function.
|
||||
func TestStripHTML(t *testing.T) {
|
||||
requestedString := `<p><img src="img.png"/>Some text</p>`
|
||||
expectedResult := `Some text`
|
||||
|
||||
result := StripHTML(requestedString)
|
||||
fmt.Println(result)
|
||||
|
||||
if result != expectedResult {
|
||||
t.Errorf("Expected %s, got %s", expectedResult, result)
|
||||
}
|
||||
}
|
||||
|
||||
// TestSafeString tests the TestSafeString function.
|
||||
func TestSafeString(t *testing.T) {
|
||||
requestedString := `<p><img src="img.png"/> Some text blah blah blah blah blah blahb albh</p>`
|
||||
expectedResult := `Some te`
|
||||
|
||||
result := MakeSafeStringOfLength(requestedString, 10)
|
||||
fmt.Println(result)
|
||||
|
||||
if result != expectedResult {
|
||||
t.Errorf("Expected %s, got %s", expectedResult, result)
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user