From 5fff7504e5e531ae4dadad73ca40624135a01995 Mon Sep 17 00:00:00 2001
From: Apple Sheeple <AppleSheeple@github>
Date: Mon, 18 Sep 2023 22:31:27 +0300
Subject: [PATCH 1/2] Reject registration application if sanitizing the
 username modifies it

 This removes the possibility of using a mix of sanitized and
 non-sanitized values for `username` in code.

Signed-off-by: Apple Sheeple <AppleSheeple@github>
---
 crates/api_crud/src/user/create.rs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/crates/api_crud/src/user/create.rs b/crates/api_crud/src/user/create.rs
index 02c95cb0..22dcd0dc 100644
--- a/crates/api_crud/src/user/create.rs
+++ b/crates/api_crud/src/user/create.rs
@@ -89,7 +89,10 @@ pub async fn register(
   let slur_regex = local_site_to_slur_regex(&local_site);
   check_slurs(&data.username, &slur_regex)?;
   check_slurs_opt(&data.answer, &slur_regex)?;
-  let username = sanitize_html_api(&data.username);
+
+  if sanitize_html_api(&data.username) != data.username {
+      Err(LemmyErrorType::InvalidName)?;
+  }
 
   let actor_keypair = generate_actor_keypair()?;
   is_valid_actor_name(&data.username, local_site.actor_name_max_length as usize)?;
@@ -109,7 +112,7 @@ pub async fn register(
 
   // Register the new person
   let person_form = PersonInsertForm::builder()
-    .name(username)
+    .name(data.username.clone())
     .actor_id(Some(actor_id.clone()))
     .private_key(Some(actor_keypair.private_key))
     .public_key(actor_keypair.public_key)

From c05458adcd359d7805a0e6ffc1f3941919946a1f Mon Sep 17 00:00:00 2001
From: Apple Sheeple <AppleSheeple@github>
Date: Mon, 18 Sep 2023 22:36:38 +0300
Subject: [PATCH 2/2] Sanitize registration application answer

Signed-off-by: Apple Sheeple <AppleSheeple@github>
---
 crates/api_crud/src/user/create.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crates/api_crud/src/user/create.rs b/crates/api_crud/src/user/create.rs
index 22dcd0dc..c56c1362 100644
--- a/crates/api_crud/src/user/create.rs
+++ b/crates/api_crud/src/user/create.rs
@@ -11,6 +11,7 @@ use lemmy_api_common::{
     local_site_to_slur_regex,
     password_length_check,
     sanitize_html_api,
+    sanitize_html_api_opt,
     send_new_applicant_email_to_admins,
     send_verification_email,
     EndpointType,
@@ -94,6 +95,8 @@ pub async fn register(
       Err(LemmyErrorType::InvalidName)?;
   }
 
+  let answer = sanitize_html_api_opt(&data.answer);
+
   let actor_keypair = generate_actor_keypair()?;
   is_valid_actor_name(&data.username, local_site.actor_name_max_length as usize)?;
   let actor_id = generate_local_apub_endpoint(
@@ -149,7 +152,7 @@ pub async fn register(
     let form = RegistrationApplicationInsertForm {
       local_user_id: inserted_local_user.id,
       // We already made sure answer was not null above
-      answer: data.answer.clone().expect("must have an answer"),
+      answer: answer.expect("must have an answer"),
     };
 
     RegistrationApplication::create(&mut context.pool(), &form).await?;