From af017bf1256a61a800dc30cbb24857cbb00439aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Gro=C3=9F?= <git@minzkraut.com>
Date: Thu, 9 Mar 2023 12:14:49 +0100
Subject: [PATCH] Profile: encode special XML characters in usernames and
 descriptions this fixes the problem of profiles not rendering when a user has
 special characters such as < or > in their name or status. We didn't
 implement proper sanitization considering this method of profile rendering is
 going to be obsolete soon.

---
 commands/profile.js | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/commands/profile.js b/commands/profile.js
index eefe848..5eed598 100644
--- a/commands/profile.js
+++ b/commands/profile.js
@@ -29,10 +29,10 @@ module.exports = {
         let profile = await user.getProfile();
 
         let customStatus = profile.customStatus.replace(/(.{0,40}[\s])/g, '<tspan x="443" dy="1.2em">$1</tspan>');
-
+          
         let profileTemplate = fs.readFileSync('/app/assets/profile/profile.svg').toString();
-        profileTemplate = profileTemplate.replace(/{{USERNAME}}/g, discordUser.username.substr(0,15)+(discordUser.username.length>15?'...':''));
-        profileTemplate = profileTemplate.replace(/{{PROFILE_TEXT}}/g, customStatus );
+        profileTemplate = profileTemplate.replace(/{{USERNAME}}/g, this.encodeStr(discordUser.username.substr(0,15)+(discordUser.username.length>15?'...':'')));
+        profileTemplate = profileTemplate.replace(/{{PROFILE_TEXT}}/g, this.encodeStr(customStatus) );
         profileTemplate = profileTemplate.replace(/{{HEADER_COLOR}}/g, '190,31,97');
         profileTemplate = profileTemplate.replace(/{{CC}}/g, await Card.count({where: {userId: user.id}}));
         profileTemplate = profileTemplate.replace(/{{LVL}}/g, await user.level().currentLevel);
@@ -64,5 +64,16 @@ module.exports = {
 
         let profileImage = await Compositing.renderProfile(profile, background, renderedCards);
         await interaction.editReply({ files: [profileImage] });
+    },
+    encodeStr: function(str) {
+        let charMapping = {
+            '&': '&amp;',
+            '"': '&quot;',
+            '<': '&lt;',
+            '>': '&gt;'
+        };
+        return str.replace(/([\&"<>])/g, function(str, item) {
+            return charMapping[item];
+        });
     }
 }
\ No newline at end of file