Merge branch 'fix/chat-xss-vulnerability' of https://github.com/Alok-2005/sugarizer into pr/1939

Lionel Laské · Lionel Laské · commit 20c6a353176b · 2026-02-08T10:50:07.000+01:00
diff --git a/js/screens/loginscreen.js b/js/screens/loginscreen.js
@@ -266,6 +266,14 @@ const LoginScreen = {
 				}
 
 				else if (this.index.currentIndex === 1 && this.details.name.length > 0) { // name
+					// Validate username - check for HTML characters
+					const htmlChars = /[<>&"']/;
+					if (htmlChars.test(this.details.name)) {
+						this.warning.show = true;
+						this.warning.text = this.$t("InvalidName");
+						this.isLoading = false;
+						return;
+					}
 					if (sugarizer.getClientType() === sugarizer.constant.webAppType || this.details.serverAddress.length > 0) {
 						const info = await sugarizer.modules.server.getServerInformation(this.details.serverAddress);
 						this.consentNeed = info.options['consent-need'];
diff --git a/js/screens/settings-aboutme.js b/js/screens/settings-aboutme.js
@@ -201,6 +201,13 @@ const AboutMe = {
 				this.close('about_me');
 				return;
 			}
+			// Validate username - check for HTML characters
+			const htmlChars = /[<>&"']/;
+			if (htmlChars.test(this.name)) {
+				this.warning.show = true;
+				this.warning.text = this.$t('InvalidName');
+				return;
+			}
 			if (nameChanged && await sugarizer.modules.user.checkIfExists(null, this.name)) {
 				this.warning.show = true;
 				this.warning.text = this.$t('UserAlreadyExist');
