From d8f322399cc199d824712c7c06ca208cc19f83ff Mon Sep 17 00:00:00 2001
From: Pyjacpp <pyjacpp@crans.org>
Date: Sun, 26 Apr 2026 19:33:50 +0200
Subject: [PATCH] Sanitize Note Usernames

---
 .../mediakiwi/WSONoteKfetAuth/src/NoteKfetAuth.php  | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/hosts/vm/mediakiwi/WSONoteKfetAuth/src/NoteKfetAuth.php b/hosts/vm/mediakiwi/WSONoteKfetAuth/src/NoteKfetAuth.php
index 73b5305..fd2755d 100644
--- a/hosts/vm/mediakiwi/WSONoteKfetAuth/src/NoteKfetAuth.php
+++ b/hosts/vm/mediakiwi/WSONoteKfetAuth/src/NoteKfetAuth.php
@@ -50,6 +50,8 @@ class NoteKfetAuth extends AuthProvider {
 	 */
 	public function login( ?string &$key, ?string &$secret, ?string &$authUrl ): bool {
 
+		// This state is used to prevent CSRF, i.e., ensuring that authentification request
+		// were initiated on our website.
 		$state = random_int(PHP_INT_MIN, PHP_INT_MAX);
 		$secret = "$state";
 		$authUrl = $GLOBALS['wgNoteKfetUrl'] . "o/authorize/?" . http_build_query([
@@ -85,7 +87,7 @@ class NoteKfetAuth extends AuthProvider {
 			$userInfos = $this->getUserInfos( $token );
 
 			return [
-				'name' => "note_$userInfos->normalized_name",
+				'name' => this->sanitizeName( "$userInfos->normalized_name (note)" ),
 				'realname' => $userInfos->username,
 				'email' => $userInfos->email,
 			];
@@ -94,6 +96,15 @@ class NoteKfetAuth extends AuthProvider {
 		}
 	}
 
+	private function sanitizeName( string $name ) {
+		// We replace forbidden chars.
+		$res = preg_replace('/[#\/:<>=@\|]/', '-', $name);
+		$res = preg_replace(['/[\[{]/', '/[\]}]/'], ['(', ')'], $res);
+		$res = str_replace('_', ' ', $res);
+		// We remove the last controls chars possibly remaining.
+		return preg_replace('/[^a-zA-Z0-9 !\"$%&\'()*+,\-.;?\\\^`~]/', '', $res);
+	}
+
 	private function getAccessTokens( string $code ) {
 		$data = [
 			'grant_type' => 'authorization_code',