Special symbols in matrix names

[itay-grudev]

Description

When a user uses special characters in their name it breaks the citing feature. Here is an example of a user that uses two line feed characters in their name which produces the following result in the message input field:

And after posting produces the following message:

The exact JSON with the user details is the following:

{ 
    "displayname": "\n\nJonas"
}

Interesting note: The API returns the line feeds in the name, but the user claims what they originally inputted was an em-space character. So this is likely the results of an ASCII transformation of the non-ASCII characters (hence his message, intentionally included in the screenshot).

Steps to reproduce

• Find a user with a hacked name that includes new lines
• Try and cite them
• Be miserable for a second hating Riot and Matrix while they are both really great projects.
• Post the message, then edit it and remove the new lines to produce a nice looking pill.

Version information

riot: 1.4.0
matrix-react-sdk version: 1.6.0
riot-web version: master
olm version: 3.1.0

[weeman1337]

Still valid

[Johennes]

I'm downgrading this to minor because not using newlines in your display name feels like an acceptable workaround to me.

[Johennes]

Otherwise I can reproduce the issue. After changing my display name to this

others can still mention me in the composer

but the timeline rendering doesn't display the user pill

[Johennes]

I think part of the issue here is that Markdown doesn't support linebreaks in links without HTML. E.g. you can't do

[a
b](foo.bar)

but you can do

[a<br/>b](foo.bar)

I tried replacing \n with <br/> when serializing the user pill to Markdown in https://github.com/matrix-org/matrix-react-sdk/blob/develop/src/editor/serialize.ts#L51. That actually unbreaks the timeline rendering of pills but the HTML that is serialized from the Markdown+HTML ends up being half-escaped only:

<a href=\"https://matrix.to/#/@johannesm:element.io\">Johannes&lt;br/&gt;<br>Marbach</a>

[Johennes]

[...] but the HTML that is serialized from the Markdown+HTML ends up being half-escaped only

Actually scratch that. I was missing the g flag on the regex replace. 🤦‍♂️

[Johennes]

I think we would actually want the <br/>s to be unescaped in the HTML though. For this to happen, we'd have to allow them in https://github.com/matrix-org/matrix-react-sdk/blob/develop/src/Markdown.ts#L30. It looks like that might get quite fiddly though because we probably only want to allow them in this edge case.

[Johennes]

In reconsidering, something else we could do is simply strip the newlines from both body and formatted_body. We already ignore them when rendering pills due to our use of textContent.

[t3chguy]

It looks like that might get quite fiddly though because we probably only want to allow them in this edge case.

I don't think that necessarily has to be true. Technically commonmark is a superset of HTML even though we don't treat it as such. We allow certain tags like del u sup sub so adding br wouldn't be a big deal.

In reconsidering, something else we could do is simply strip the newlines from both body and formatted_body. We already ignore them when rendering pills due to our use of textContent.

Stripping newlines from body would break paragraphs in plaintext messages, no?

[Johennes]

I don't think that necessarily has to be true. Technically commonmark is a superset of HTML even though we don't treat it as such. We allow certain tags like del u sup sub so adding br wouldn't be a big deal.

Hm, good point. It would just mean that you couldn't send a literal "<br/>" anymore without putting it into backticks. But that's probably not problematic.

Stripping newlines from body would break paragraphs in plaintext messages, no?

Yes sorry, I meant stripping them only within user display name parts.

That being said, since we can easily and generally exclude brs from escaping in our Markdown to HTML conversion, retaining the newlines is probably the more correct fix.

[t3chguy]

without putting it into backticks

or escape it using \