From fa7dcdb9686e2af14b83c3a8775828bd53b2c22d Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Mon, 31 Jan 2022 17:02:48 -0500
Subject: [PATCH] fix: proactively guard against homograph characters in
 website values

---
 src/user/profile.js | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/src/user/profile.js b/src/user/profile.js
index 3c93cb8bd0..6f77806d4f 100644
--- a/src/user/profile.js
+++ b/src/user/profile.js
@@ -4,6 +4,7 @@
 const _ = require('lodash');
 const validator = require('validator');
 const winston = require('winston');
+const punycode = require('punycode');
 
 const utils = require('../utils');
 const slugify = require('../slugify');
@@ -45,14 +46,28 @@ module.exports = function (User) {
 
 			data[field] = data[field].trim();
 
-			if (field === 'email') {
-				return await updateEmail(updateUid, data.email);
-			} else if (field === 'username') {
-				return await updateUsername(updateUid, data.username);
-			} else if (field === 'fullname') {
-				return await updateFullname(updateUid, data.fullname);
+			switch (field) {
+				case 'email': {
+					return await updateEmail(updateUid, data.email);
+				}
+
+				case 'username': {
+					return await updateUsername(updateUid, data.username);
+				}
+
+				case 'fullname': {
+					return await updateFullname(updateUid, data.fullname);
+				}
+
+				case 'website': {
+					updateData[field] = punycode.toASCII(data[field]);
+					break;
+				}
+
+				default: {
+					updateData[field] = data[field];
+				}
 			}
-			updateData[field] = data[field];
 		}));
 
 		if (Object.keys(updateData).length) {