diff options
author | Kitsune Ral <Kitsune-Ral@users.sf.net> | 2019-03-17 09:03:34 +0900 |
---|---|---|
committer | Kitsune Ral <Kitsune-Ral@users.sf.net> | 2019-03-17 09:03:34 +0900 |
commit | 6577320f8653fbd99a100a844d7b42a46da5f45a (patch) | |
tree | 2548afc4acfbf038cef348a986fd62d735f36827 /lib | |
parent | f13d54bd9931a340af862cc0a03af2ac68fe5e06 (diff) | |
download | libquotient-6577320f8653fbd99a100a844d7b42a46da5f45a.tar.gz libquotient-6577320f8653fbd99a100a844d7b42a46da5f45a.zip |
RoomMemberEvent: sanitize user display names
MemberEventContent::displayName() will strip away Unicode text direction override characters. Direct access to JSON can still provide "raw" data.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/events/roommemberevent.cpp | 2 | ||||
-rw-r--r-- | lib/util.cpp | 10 | ||||
-rw-r--r-- | lib/util.h | 7 |
3 files changed, 16 insertions, 3 deletions
diff --git a/lib/events/roommemberevent.cpp b/lib/events/roommemberevent.cpp index a5ac3c5f..6da76526 100644 --- a/lib/events/roommemberevent.cpp +++ b/lib/events/roommemberevent.cpp @@ -52,7 +52,7 @@ using namespace QMatrixClient; MemberEventContent::MemberEventContent(const QJsonObject& json) : membership(fromJson<MembershipType>(json["membership"_ls])) , isDirect(json["is_direct"_ls].toBool()) - , displayName(json["displayname"_ls].toString()) + , displayName(sanitized(json["displayname"_ls].toString())) , avatarUrl(json["avatar_url"_ls].toString()) { } diff --git a/lib/util.cpp b/lib/util.cpp index d042aa34..2744d45f 100644 --- a/lib/util.cpp +++ b/lib/util.cpp @@ -63,10 +63,18 @@ static void linkifyUrls(QString& htmlEscapedText) QStringLiteral(R"(\1<a href="https://matrix.to/#/\2">\2</a>)")); } +QString QMatrixClient::sanitized(const QString& plainText) +{ + auto text = plainText; + text.remove(QChar(0x202e)); + text.remove(QChar(0x202d)); + return text.toHtmlEscaped(); +} + QString QMatrixClient::prettyPrint(const QString& plainText) { auto pt = QStringLiteral("<span style='white-space:pre-wrap'>") + - plainText.toHtmlEscaped() + QStringLiteral("</span>"); + sanitized(plainText).toHtmlEscaped() + QStringLiteral("</span>"); pt.replace('\n', QStringLiteral("<br/>")); linkifyUrls(pt); @@ -296,7 +296,12 @@ namespace QMatrixClient return std::make_pair(last, sLast); } - /** Pretty-prints plain text into HTML + /** Sanitize the text before showing in HTML + * This does toHtmlEscaped() and removes Unicode BiDi marks. + */ + QString sanitized(const QString& plainText); + + /** Pretty-print plain text into HTML * This includes HTML escaping of <,>,",& and URLs linkification. */ QString prettyPrint(const QString& plainText); |