diff --git a/apps/server/src/modules/account/controller/api-test/account.api.spec.ts b/apps/server/src/modules/account/controller/api-test/account.api.spec.ts
index f921104e9d2..d544a8590f9 100644
--- a/apps/server/src/modules/account/controller/api-test/account.api.spec.ts
+++ b/apps/server/src/modules/account/controller/api-test/account.api.spec.ts
@@ -155,6 +155,24 @@ describe('Account Controller (API)', () => {
.send(params)
.expect(400);
});
+
+ it('should strip HTML off of firstName and lastName', async () => {
+ currentUser = mapUserToCurrentUser(teacherUser, teacherAccount);
+ const params: PatchMyAccountParams = {
+ passwordOld: defaultPassword,
+ firstName: 'Jane',
+ lastName: 'Doe',
+ };
+
+ await request(app.getHttpServer()) //
+ .patch(`${basePath}/me`)
+ .send(params)
+ .expect(200);
+
+ const updatedUser = await em.findOneOrFail(User, teacherUser.id);
+ expect(updatedUser.firstName).toEqual('Jane');
+ expect(updatedUser.lastName).toEqual('Doe');
+ });
});
describe('[GET]', () => {
diff --git a/apps/server/src/modules/account/controller/dto/patch-my-account.params.ts b/apps/server/src/modules/account/controller/dto/patch-my-account.params.ts
index 28874bb255a..083a75b4545 100644
--- a/apps/server/src/modules/account/controller/dto/patch-my-account.params.ts
+++ b/apps/server/src/modules/account/controller/dto/patch-my-account.params.ts
@@ -1,5 +1,5 @@
import { ApiProperty } from '@nestjs/swagger';
-import { PrivacyProtect } from '@shared/controller';
+import { PrivacyProtect, SanitizeHtml } from '@shared/controller';
import { IsEmail, IsOptional, IsString, Matches } from 'class-validator';
import { passwordPattern } from './password-pattern';
@@ -34,6 +34,7 @@ export class PatchMyAccountParams {
@IsString()
@IsOptional()
+ @SanitizeHtml()
@ApiProperty({
description: 'The new first name for the current user.',
required: false,
@@ -43,6 +44,7 @@ export class PatchMyAccountParams {
@IsString()
@IsOptional()
+ @SanitizeHtml()
@ApiProperty({
description: 'The new last name for the current user.',
required: false,