Merge branch 'pr/1939' into dev

Author: Lionel Laské

js/modules/user.js

@@ -59,6 +59,13 @@ define([], function() {
 		return settings && settings.sharedJournal ? settings.sharedJournal : null;
 	}
 
+	// Validate username - returns true if valid, false if contains HTML characters
+	let validateName = function(name) {
+		// Check for HTML special characters that could enable XSS
+		const htmlChars = /[<>&"']/;
+		return !htmlChars.test(name);
+	}
+
 	// Check if user exists
 	user.checkIfExists = function(baseurl, name) {
 		return new Promise((resolve, reject) => {
@@ -89,6 +96,10 @@ define([], function() {
 
 	// Signup user
 	user.signup = async function(baseurl, name, password, color) {
+		// Validate username - reject if contains HTML characters
+		if (!validateName(name)) {
+			throw new Error("Invalid username: contains forbidden characters");
+		}
 		const signupData = {
 			"name": `${name}`,
 			"password": `${password}`,
@@ -187,6 +198,11 @@ define([], function() {
 	// Update user information
 	user.update = function(data, dataLocal = null) {
 		return new Promise((resolve, reject) => {
+			// Validate username if being updated - reject if contains HTML characters
+			if (data.name && !validateName(data.name)) {
+				reject(new Error("Invalid username: contains forbidden characters"));
+				return;
+			}
 			// update the user locally
 			sugarizer.modules.settings.setUser(dataLocal ? dataLocal : data);
 

js/screens/loginscreen.js

@@ -266,6 +266,14 @@ const LoginScreen = {
 				}
 
 				else if (this.index.currentIndex === 1 && this.details.name.length > 0) { // name
+					// Validate username - check for HTML characters
+					const htmlChars = /[<>&"']/;
+					if (htmlChars.test(this.details.name)) {
+						this.warning.show = true;
+						this.warning.text = this.$t("InvalidName");
+						this.isLoading = false;
+						return;
+					}
 					if (sugarizer.getClientType() === sugarizer.constant.webAppType || this.details.serverAddress.length > 0) {
 						const info = await sugarizer.modules.server.getServerInformation(this.details.serverAddress);
 						this.consentNeed = info.options['consent-need'];
@@ -371,6 +379,11 @@ const LoginScreen = {
 					this.login(this.details.serverAddress, this.details.name, this.details.password);
 				}, (error) => {
 					console.log(error);
+					if (error.message && error.message.includes("Invalid username")) {
+						this.warning.show = true;
+						this.warning.text = this.$t("InvalidName");
+						this.isLoading = false;
+					}
 				});
 			}
 

js/screens/settings-aboutme.js

@@ -186,6 +186,11 @@ const AboutMe = {
 				)
 				.then(() => {
 					sugarizer.reload();
+				}, (error) => {
+					if (error.message && error.message.includes("Invalid username")) {
+						this.warning.show = true;
+						this.warning.text = this.$t("InvalidName");
+					}
 				});
 		},
 
@@ -196,6 +201,13 @@ const AboutMe = {
 				this.close('about_me');
 				return;
 			}
+			// Validate username - check for HTML characters
+			const htmlChars = /[<>&"']/;
+			if (htmlChars.test(this.name)) {
+				this.warning.show = true;
+				this.warning.text = this.$t('InvalidName');
+				return;
+			}
 			if (nameChanged && await sugarizer.modules.user.checkIfExists(null, this.name)) {
 				this.warning.show = true;
 				this.warning.text = this.$t('UserAlreadyExist');

locales/ar.json

@@ -136,6 +136,7 @@
 	"ChoosePassword": "Choose at least {{min}} images:",
 	"UserLoginInvalid": "Invalid user name or images",
 	"UserAlreadyExist": "User already exist",
+	"InvalidName": "Invalid user name",
 	"ServerError": "Server error code {{code}}",
 	"ServerNotSet": "مُهيّء  مزودك غير",
 	"AndroidSettings": "إعدادات الروبوت",

locales/de.json

@@ -135,6 +135,7 @@
 	"ChoosePassword": "Wähle zumindest {{min}} Bilder:",
 	"UserLoginInvalid": "Ungültiger Benutzername oder Bilder",
 	"UserAlreadyExist": "Benutzer existiert bereits",
+	"InvalidName": "Ungültiger Benutzername",
 	"ServerError": "Server error code {{code}}",
 	"ClickToColor": "Klicke um die Farbe zu setzen:",
 	"ServerNotSet": "Dein Server ist noch nicht eingetragen",

locales/en.json

@@ -136,6 +136,7 @@
 	"ChoosePassword": "Choose at least {{min}} images:",
 	"UserLoginInvalid": "Invalid user name or images",
 	"UserAlreadyExist": "User already exist",
+	"InvalidName": "Invalid name",
 	"ServerError": "Server error code {{code}}",
 	"ServerNotSet": "Your server is not set",
 	"AndroidSettings": "Android Settings",

locales/es.json

@@ -136,6 +136,7 @@
 	"ChoosePassword": "Escoge, al menos, {{min}} imágenes:",
 	"UserLoginInvalid": "Nombre o imágenes de usuario no válidas",
 	"UserAlreadyExist": "Ese usuario ya existe",
+	"InvalidName": "Nombre de usuario no válido",
 	"ServerError": "Server error code {{code}}",
 	"ServerNotSet": "No se ha especificado el servidor",
 	"AndroidSettings": "Configuración de Android",

locales/fr.json

@@ -136,6 +136,7 @@
 	"ChoosePassword": "Choisir au moins {{min}} images:",
 	"UserLoginInvalid": "Nom d'utilisateur ou images invalides",
 	"UserAlreadyExist": "Cet utilisateur existe déjà",
+	"InvalidName": "Nom d'utilisateur invalide",
 	"ServerError": "Erreur serveur code {{code}}",
 	"ServerNotSet": "Votre serveur n'est pas configuré",
 	"AndroidSettings": "Paramètres Android",

locales/ibo.json

@@ -136,6 +136,7 @@
 	"ChoosePassword": "Choose at least {{min}} images:",
 	"UserLoginInvalid": "Invalid user name or images",
 	"UserAlreadyExist": "User already exist",
+	"InvalidName": "Invalid user name",
 	"ServerError": "Server error code {{code}}",
 	"ServerNotSet": "Gị na ihe nkesa na-adịghị ka",
 	"AndroidSettings": "android ntọala",

locales/ja.json

@@ -136,6 +136,7 @@
 	"ChoosePassword": "Choose at least {{min}} images:",
 	"UserLoginInvalid": "Invalid user name or images",
 	"UserAlreadyExist": "User already exist",
+	"InvalidName": "Invalid user name",
 	"ServerError": "Server error code {{code}}",
 	"ServerNotSet": "サーバーがセットされていません",
 	"AndroidSettings": "Android の設定",