From e855085835909549aa866ed968e24902eb378b5a Mon Sep 17 00:00:00 2001
From: Kitsune Ral <Kitsune-Ral@users.sf.net>
Date: Sun, 17 Mar 2019 09:03:34 +0900
Subject: RoomMemberEvent: sanitize user display names

MemberEventContent::displayName() will strip away Unicode text direction override characters. Direct access to JSON can still provide "raw" data.
---
 lib/events/roommemberevent.cpp |  2 +-
 lib/util.cpp                   | 10 +++++++++-
 lib/util.h                     |  7 ++++++-
 3 files changed, 16 insertions(+), 3 deletions(-)

(limited to 'lib')

diff --git a/lib/events/roommemberevent.cpp b/lib/events/roommemberevent.cpp
index a5ac3c5f..6da76526 100644
--- a/lib/events/roommemberevent.cpp
+++ b/lib/events/roommemberevent.cpp
@@ -52,7 +52,7 @@ using namespace QMatrixClient;
 MemberEventContent::MemberEventContent(const QJsonObject& json)
     : membership(fromJson<MembershipType>(json["membership"_ls]))
     , isDirect(json["is_direct"_ls].toBool())
-    , displayName(json["displayname"_ls].toString())
+    , displayName(sanitized(json["displayname"_ls].toString()))
     , avatarUrl(json["avatar_url"_ls].toString())
 { }
 
diff --git a/lib/util.cpp b/lib/util.cpp
index e1f312ee..8d16cfc8 100644
--- a/lib/util.cpp
+++ b/lib/util.cpp
@@ -63,10 +63,18 @@ static void linkifyUrls(QString& htmlEscapedText)
                  QStringLiteral(R"(\1<a href="https://matrix.to/#/\2">\2</a>)"));
 }
 
+QString QMatrixClient::sanitized(const QString& plainText)
+{
+    auto text = plainText;
+    text.remove(QChar(0x202e));
+    text.remove(QChar(0x202d));
+    return text;
+}
+
 QString QMatrixClient::prettyPrint(const QString& plainText)
 {
     auto pt = QStringLiteral("<span style='white-space:pre-wrap'>") +
-            plainText.toHtmlEscaped() + QStringLiteral("</span>");
+                plainText.toHtmlEscaped() + QStringLiteral("</span>");
     pt.replace('\n', QStringLiteral("<br/>"));
 
     linkifyUrls(pt);
diff --git a/lib/util.h b/lib/util.h
index f7f646da..beb3c697 100644
--- a/lib/util.h
+++ b/lib/util.h
@@ -296,7 +296,12 @@ namespace QMatrixClient
         return std::make_pair(last, sLast);
     }
 
-    /** Pretty-prints plain text into HTML
+    /** Sanitize the text before showing in HTML
+     * This does toHtmlEscaped() and removes Unicode BiDi marks.
+     */
+    QString sanitized(const QString& plainText);
+
+    /** Pretty-print plain text into HTML
      * This includes HTML escaping of <,>,",& and URLs linkification.
      */
     QString prettyPrint(const QString& plainText);
-- 
cgit v1.2.3