Sanitize Note Usernames

hosts/vm/mediakiwi/WSONoteKfetAuth/src/NoteKfetAuth.php

@@ -50,6 +50,8 @@ class NoteKfetAuth extends AuthProvider {
 	 */
 	public function login( ?string &$key, ?string &$secret, ?string &$authUrl ): bool {
 
+		// This state is used to prevent CSRF, i.e., ensuring that authentification request
+		// were initiated on our website.
 		$state = random_int(PHP_INT_MIN, PHP_INT_MAX);
 		$secret = "$state";
 		$authUrl = $GLOBALS['wgNoteKfetUrl'] . "o/authorize/?" . http_build_query([
@@ -85,7 +87,7 @@ class NoteKfetAuth extends AuthProvider {
 			$userInfos = $this->getUserInfos( $token );
 
 			return [
-				'name' => "note_$userInfos->normalized_name",
+				'name' => this->sanitizeName( "$userInfos->normalized_name (note)" ),
 				'realname' => $userInfos->username,
 				'email' => $userInfos->email,
 			];
@@ -94,6 +96,15 @@ class NoteKfetAuth extends AuthProvider {
 		}
 	}
 
+	private function sanitizeName( string $name ) {
+		// We replace forbidden chars.
+		$res = preg_replace('/[#\/:<>=@\|]/', '-', $name);
+		$res = preg_replace(['/[\[{]/', '/[\]}]/'], ['(', ')'], $res);
+		$res = str_replace('_', ' ', $res);
+		// We remove the last controls chars possibly remaining.
+		return preg_replace('/[^a-zA-Z0-9 !\"$%&\'()*+,\-.;?\\\^`~]/', '', $res);
+	}
+
 	private function getAccessTokens( string $code ) {
 		$data = [
 			'grant_type' => 'authorization_code',