From 7c600a2a676669760d7a371c62438d1b8cce5814 Mon Sep 17 00:00:00 2001
From: csd4ni3l <v3xq21w7@duck.com>
Date: Fri, 24 Oct 2025 18:03:16 +0200
Subject: [PATCH] fix change username XSS

---
 app.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app.py b/app.py
index 8b0e8df..a6b24f0 100644
--- a/app.py
+++ b/app.py
@@ -166,7 +166,10 @@ def profile_external(username):
 def change_username():
     username = flask_login.current_user.id
 
-    new_username = request.form["new_username"]
+    if request.form["new_username"] != html.escape(request.form["new_username"], quote=True):
+        return "No XSS please"
+
+    new_username = html.escape(request.form["new_username"], quote=True)
 
     cur = get_db().cursor()