Committer: vad
LJSUP-11020: Fix XSS vulnerabilityU trunk/cgi-bin/LJ/User.pm
Modified: trunk/cgi-bin/LJ/User.pm =================================================================== --- trunk/cgi-bin/LJ/User.pm 2012-01-20 12:58:53 UTC (rev 20948) +++ trunk/cgi-bin/LJ/User.pm 2012-01-22 08:57:04 UTC (rev 20949) @@ -1345,14 +1345,14 @@ return $ident->value; } -# returns username or identity display name, not escaped +# returns username or identity display name sub display_name { my $u = shift; return $u->username unless $u->is_identity; my $id = $u->identity; return "[ERR:unknown_identity]" unless $id; - return $id->display_name($u); + return LJ::ehtml( $id->display_name($u) ); } sub ljuser_display { @@ -3876,17 +3876,20 @@ my $u = shift; my $need_cut = shift || 0; - if ($u->is_identity && $need_cut) { - my $name = $u->display_name; - my $short_name = substr ($name, 0, 16); - if ($name ne $short_name) { - $short_name .= "..."; + my $username = $u->{user}; + if ($u->is_identity){ + $username = $u->display_name; + if ($need_cut){ + my $short_name = substr ($username, 0, 16); + if ($username eq $short_name) { + $username = $short_name; + } else { + $username = $short_name . "..."; + } } - return $short_name; } - return $u->display_name if $u->is_identity; - return $u->{user}; + return LJ::ehtml($username); } # returns the user-specified name of a journal exactly as entered