OSM username isn't escaped properly

[gravitystorm]

URL

No response

How to reproduce the issue?

1. Set your OSM username to something containing an HTML tag, like Test <hr> McTesty
2. Make some changes in iD and press upload
3. Notice that the username has been put directly into the html, instead of being escaped.

I realise this won't come up in many circumstances, but the unusual name on my development machine is a side-effect of some XSS testing for website that I was doing a few months ago. Although unlikely to be exploitable (since the username within iD is only shown to the user, not to anyone else, and due to limitations on the characters permitted in the OSM username) it's probably worth addressing anyway, and might indicate other places where "user supplied" information from the API isn't being escaped.

Screenshot(s) or anything else?

Note how the username in the rails port (circled green, top right) is properly escaped, but within iD it is not escaped (circled red, bottom left)

Which iD Editor versions do you see the issue on?

Released version at openstreetmap.org/edit

Which browsers are you seeing this problem on?

Firefox

[1ec5]

This regression was introduced in 32f8274 for #7998. That PR effectively removed much of the string sanitization from the codebase, including for this part of the UI. Some of the sanitization may have been unnecessary, but it’s hard to say with such a large change. Unfortunately, there are also some places where the fix will be less straightforward, like in detectConflicts.formatUser.

[jleedev]

This regressed in 43fe6e9