fix: closes #13475, don't store escaped username

when updating profile
2026-05-07 09:37:20 +02:00 · 2025-06-05 11:42:29 -04:00
parent 4fbcfae8b1
commit 806e54bf5a
2 changed files with 28 additions and 5 deletions
--- a/test/user.js
+++ b/test/user.js
@@ -748,7 +748,9 @@ describe('User', () => {
 					signature: 'nodebb is good',
 					password: '123456',
 				};
-				const result = await apiUser.update({ uid: uid }, { ...data, password: '123456', invalid: 'field' });
+				const result = await apiUser.update({ uid: uid }, {
+					...data, password: '123456', invalid: 'field',
+				});
 				assert.equal(result.username, 'updatedUserName');
 				assert.equal(result.userslug, 'updatedusername');
 				assert.equal(result.fullname, 'updatedFullname');
@@ -767,6 +769,27 @@ describe('User', () => {
 				assert.strictEqual(userData.invalid, undefined);
 			});

+			it('should not change the username to escaped version', async () => {
+				const uid = await User.create({
+					username: 'ex\'ample_user', email: '13475@test.com', password: '123456',
+				});
+				await User.setUserField(uid, 'email', '13475@test.com');
+				await User.email.confirmByUid(uid);
+
+				const data = {
+					uid: uid,
+					username: 'ex\'ample_user',
+					password: '123456',
+				};
+				const result = await apiUser.update({ uid: uid }, {
+					...data, password: '123456', invalid: 'field',
+				});
+				const storedUsername = await db.getObjectField(`user:${uid}`, 'username');
+				assert.equal(result.username, 'ex&#x27;ample_user');
+				assert.equal(storedUsername, 'ex\'ample_user');
+				assert.equal(result.userslug, 'ex-ample_user');
+			});
+
 			it('should also generate an email confirmation code for the changed email', async () => {
 				const confirmSent = await User.email.isValidationPending(uid, 'updatedemail@me.com');
 				assert.strictEqual(confirmSent, true);