Sanitize `reason` param in POST /api/v1/accounts

author: Alex Gleason <alex@alexgleason.me> 2020-07-16 20:25:53 -0500
committer: Alex Gleason <alex@alexgleason.me> 2020-07-16 20:25:53 -0500
commit: 5e745567031e87ee0854dca8d10065449af27d9c (patch)
tree: 8f4b8360990a6a89f2927e54c3e69b9de0493d74 /lib
parent: 02cc42e72c5f7dde78c705c3cbc83d2c13fb7a71 (diff)
download: pleroma-5e745567031e87ee0854dca8d10065449af27d9c.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/pleroma/web/twitter_api/twitter_api.ex b/lib/pleroma/web/twitter_api/twitter_api.ex
index 2294d9d0d..424a705dd 100644
--- a/lib/pleroma/web/twitter_api/twitter_api.ex
+++ b/lib/pleroma/web/twitter_api/twitter_api.ex
@@ -7,6 +7,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
 
   alias Pleroma.Emails.Mailer
   alias Pleroma.Emails.UserEmail
+  alias Pleroma.HTML
   alias Pleroma.Repo
   alias Pleroma.User
   alias Pleroma.UserInviteToken
@@ -19,7 +20,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPI do
       |> Map.put(:nickname, params[:username])
       |> Map.put(:name, Map.get(params, :fullname, params[:username]))
       |> Map.put(:password_confirmation, params[:password])
-      |> Map.put(:registration_reason, params[:reason])
+      |> Map.put(:registration_reason, HTML.strip_tags(params[:reason]))
 
     if Pleroma.Config.get([:instance, :registrations_open]) do
       create_user(params, opts)
author	Alex Gleason <alex@alexgleason.me>	2020-07-16 20:25:53 -0500
committer	Alex Gleason <alex@alexgleason.me>	2020-07-16 20:25:53 -0500
commit	5e745567031e87ee0854dca8d10065449af27d9c (patch)
tree	8f4b8360990a6a89f2927e54c3e69b9de0493d74 /lib
parent	02cc42e72c5f7dde78c705c3cbc83d2c13fb7a71 (diff)
download	pleroma-5e745567031e87ee0854dca8d10065449af27d9c.tar.gz