e32ae82441
In January 2020 Pleroma backend stopped escaping HTML in display names
and passed that responsibility on frontends, compliant with Mastodon's
version of Mastodon API [1]. Pleroma-FE was subsequently modified to
escape the display name [2], however only in the "name_html" field. This
was fine however, since that's what the code rendering display names used.
However, 2 months ago an MR [3] refactoring the way the frontend does emoji
and mention rendering was merged. One of the things it did was moving away
from doing emoji rendering in the entity normalizer and use the unescaped
'user.name' in the rendering code, resulting in HTML injection being
possible again.
This patch escapes 'user.name' as well, as far as I can tell there is no
actual use for an unescaped display name in frontend code, especially
when it comes from MastoAPI, where it is not supposed to be HTML.
|
||
---|---|---|
build | ||
config | ||
docs | ||
src | ||
static | ||
test | ||
tools | ||
.babelrc | ||
.editorconfig | ||
.eslintignore | ||
.eslintrc.js | ||
.gitignore | ||
.gitlab-ci.yml | ||
.mailmap | ||
.node-version | ||
.stylelintrc.json | ||
BREAKING_CHANGES.md | ||
CHANGELOG.md | ||
COFE_OF_CONDUCT.md | ||
CONTRIBUTORS.md | ||
index.html | ||
LICENSE | ||
package.json | ||
postcss.config.js | ||
README.md | ||
yarn.lock |
Pleroma-FE
A single column frontend designed for Pleroma.
For Translators
To translate Pleroma-FE, add your language to src/i18n/messages.js. Pleroma-FE will set your language by your browser locale, but you can temporarily force it in the code by changing the locale in main.js.
FOR ADMINS
You don't need to build Pleroma-FE yourself. Those using the Pleroma backend will be able to use it out of the box.
Build Setup
# install dependencies
npm install -g yarn
yarn
# serve with hot reload at localhost:8080
npm run dev
# build for production with minification
npm run build
# run unit tests
npm run unit
For Contributors:
You can create file /config/local.json
(see example) to enable some convenience dev options:
target
: makes local dev server redirect to some existing instance's BE instead of local BE, useful for testing things in near-production environment and searching for real-life use-cases.staticConfigPreference
: makes FE's/static/config.json
take preference of BE-served/api/statusnet/config.json
. Only works in dev mode.
FE Build process also leaves current commit hash in global variable ___pleromafe_commit_hash
so that you can easily see which pleroma-fe commit instance is running, also helps pinpointing which commit was used when FE was bundled into BE.
Configuration
Edit config.json for configuration.
Options
Login methods
loginMethod
can be set to either password
(the default) or token
, which will use the full oauth redirection flow, which is useful for SSO situations.