fix: closes #13475, don't store escaped username

when updating profile
2025-11-10 07:55:46 +01:00 · 2025-06-05 11:42:29 -04:00
parent 4fbcfae8b1
commit 806e54bf5a
2 changed files with 28 additions and 5 deletions
--- a/src/api/users.js
+++ b/src/api/users.js
@@ -57,7 +57,7 @@ usersAPI.update = async function (caller, data) {
 		throw new Error('[[error:invalid-data]]');
 	}

-	const oldUserData = await user.getUserFields(data.uid, ['email', 'username']);
+	const oldUserData = await db.getObjectFields(`user:${data.uid}`, ['email', 'username']);
 	if (!oldUserData || !oldUserData.username) {
 		throw new Error('[[error:invalid-data]]');
 	}
@@ -86,14 +86,14 @@ usersAPI.update = async function (caller, data) {

 	await user.updateProfile(caller.uid, data);
 	const userData = await user.getUserData(data.uid);
-
-	if (userData.username !== oldUserData.username) {
+	const oldUsernameEscaped = validator.escape(String(oldUserData.username));
+	if (userData.username !== oldUsernameEscaped) {
 		await events.log({
 			type: 'username-change',
 			uid: caller.uid,
 			targetUid: data.uid,
 			ip: caller.ip,
-			oldUsername: oldUserData.username,
+			oldUsername: oldUsernameEscaped,
 			newUsername: userData.username,
 		});
 	}