From 6b33c6e16a7d4a7a214c74e4f50a3afc67c41d50 Mon Sep 17 00:00:00 2001
From: silver <s.szmajduch@posteo.de>
Date: Tue, 24 Mar 2026 13:28:34 +0100
Subject: [PATCH] fix(SessionService): sanitize displayName to utf8 encoding

Signed-off-by: silver <s.szmajduch@posteo.de>
---
 lib/Service/SessionService.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/Service/SessionService.php b/lib/Service/SessionService.php
index bca114942c9..789cdfdfca0 100644
--- a/lib/Service/SessionService.php
+++ b/lib/Service/SessionService.php
@@ -32,6 +32,7 @@ class SessionService {
 	private IAvatarManager $avatarManager;
 	private ?string $userId;
 	private ICache $cache;
+	private EncodingService $encodingService;
 
 	/** @var ?Session cache current session in the request */
 	private ?Session $session = null;
@@ -46,12 +47,14 @@ public function __construct(
 		IManager $directManager,
 		?string $userId,
 		ICacheFactory $cacheFactory,
+		EncodingService $encodingService,
 	) {
 		$this->sessionMapper = $sessionMapper;
 		$this->secureRandom = $secureRandom;
 		$this->timeFactory = $timeFactory;
 		$this->userManager = $userManager;
 		$this->avatarManager = $avatarManager;
+		$this->encodingService = $encodingService;
 		$this->userId = $userId;
 
 		$token = $request->getParam('token');
@@ -99,7 +102,8 @@ public function getAllSessions(int $documentId): array {
 		return array_map(function (Session $session) {
 			$result = $session->jsonSerialize();
 			if (!$session->isGuest()) {
-				$result['displayName'] = $this->userManager->getDisplayName($session->getUserId());
+				$displayName = $this->userManager->getDisplayName($session->getUserId()) ?? '';
+				$result['displayName'] = $this->encodingService->encodeToUtf8($displayName) ?? $displayName;
 			}
 			return $result;
 		}, $sessions);
@@ -114,7 +118,8 @@ public function getActiveSessions(int $documentId): array {
 		return array_map(function (Session $session) {
 			$result = $session->jsonSerialize();
 			if (!$session->isGuest()) {
-				$result['displayName'] = $this->userManager->getDisplayName($session->getUserId());
+				$displayName = $this->userManager->getDisplayName($session->getUserId()) ?? '';
+				$result['displayName'] = $this->encodingService->encodeToUtf8($displayName) ?? $displayName;
 			}
 			return $result;
 		}, $sessions);
@@ -122,7 +127,8 @@ public function getActiveSessions(int $documentId): array {
 
 	public function getNameForSession(Session $session): ?string {
 		if (!$session->isGuest()) {
-			return $this->userManager->getDisplayName($session->getUserId());
+			$displayName = $this->userManager->getDisplayName($session->getUserId()) ?? '';
+			return $this->encodingService->encodeToUtf8($displayName) ?? $displayName;
 		}
 
 		return $session->getGuestName();