summaryrefslogtreecommitdiff
path: root/internal/processing/account
diff options
context:
space:
mode:
Diffstat (limited to 'internal/processing/account')
-rw-r--r--internal/processing/account/create.go3
-rw-r--r--internal/processing/account/update.go6
2 files changed, 6 insertions, 3 deletions
diff --git a/internal/processing/account/create.go b/internal/processing/account/create.go
index a6bfb8a60..8b29f147f 100644
--- a/internal/processing/account/create.go
+++ b/internal/processing/account/create.go
@@ -23,6 +23,7 @@ import (
apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+ "github.com/superseriousbusiness/gotosocial/internal/util"
"github.com/superseriousbusiness/oauth2/v4"
)
@@ -44,7 +45,7 @@ func (p *processor) Create(applicationToken oauth2.TokenInfo, application *gtsmo
}
l.Trace("creating new username and account")
- user, err := p.db.NewSignup(form.Username, reason, p.config.AccountsConfig.RequireApproval, form.Email, form.Password, form.IP, form.Locale, application.ID)
+ user, err := p.db.NewSignup(form.Username, util.RemoveHTML(reason), p.config.AccountsConfig.RequireApproval, form.Email, form.Password, form.IP, form.Locale, application.ID)
if err != nil {
return nil, fmt.Errorf("error creating new signup in the database: %s", err)
}
diff --git a/internal/processing/account/update.go b/internal/processing/account/update.go
index 830fec60a..fbe29ac86 100644
--- a/internal/processing/account/update.go
+++ b/internal/processing/account/update.go
@@ -50,7 +50,8 @@ func (p *processor) Update(account *gtsmodel.Account, form *apimodel.UpdateCrede
if err := util.ValidateDisplayName(*form.DisplayName); err != nil {
return nil, err
}
- if err := p.db.UpdateOneByID(account.ID, "display_name", *form.DisplayName, &gtsmodel.Account{}); err != nil {
+ displayName := util.RemoveHTML(*form.DisplayName) // no html allowed in display name
+ if err := p.db.UpdateOneByID(account.ID, "display_name", displayName, &gtsmodel.Account{}); err != nil {
return nil, err
}
}
@@ -59,7 +60,8 @@ func (p *processor) Update(account *gtsmodel.Account, form *apimodel.UpdateCrede
if err := util.ValidateNote(*form.Note); err != nil {
return nil, err
}
- if err := p.db.UpdateOneByID(account.ID, "note", *form.Note, &gtsmodel.Account{}); err != nil {
+ note := util.SanitizeHTML(*form.Note) // html OK in note but sanitize it
+ if err := p.db.UpdateOneByID(account.ID, "note", note, &gtsmodel.Account{}); err != nil {
return nil, err
}
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-07-13 05:53:13 +0000