Merge f0affdfa3c into d8be2ad942

Fixes: #1990

Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>

changelogs/client_server/newsfragments/2214.clarification

@@ -0,0 +1 @@
+Push rule IDs are globally unique within their kind.

changelogs/client_server/newsfragments/2215.clarification

@@ -0,0 +1 @@
+Don't advertise `creator` field in description of room creation.

changelogs/client_server/newsfragments/2217.clarification

@@ -0,0 +1 @@
+The `server-name` segment of MXC URIs is sanitised differently from the `media-id` segment.

content/client-server-api/_index.md

@@ -3386,10 +3386,10 @@ Unspecified room types are permitted through the use of
 ### Creation
 
 The homeserver will create an `m.room.create` event when a room is
-created, which serves as the root of the event graph for this room. This
+created, which serves as the root of the event graph for this room. The
-event also has a `creator` key which contains the user ID of the room
+event `sender` is the user ID of the room creator. The server will also
-creator. It will also generate several other events in order to manage
+generate several other events in order to manage permissions in this room.
-permissions in this room. This includes:
+This includes:
 
 -   `m.room.power_levels` : Sets the power levels of users and required power
     levels for various actions within the room such as sending events.

content/client-server-api/modules/content_repo.md

@@ -134,9 +134,14 @@ entity isn't in the room.
 `mxc://` URIs are vulnerable to directory traversal attacks such as
 `mxc://127.0.0.1/../../../some_service/etc/passwd`. This would cause the
 target homeserver to try to access and return this file. As such,
-homeservers MUST sanitise `mxc://` URIs by allowing only alphanumeric
+homeservers MUST sanitise `mxc://` URIs by:
-(`A-Za-z0-9`), `_` and `-` characters in the `server-name` and
+
-`media-id` values. This set of whitelisted characters allows URL-safe
+-   restricting the `server-name` segment to valid
+    [server names](/appendices/#server-name)
+-   allowing only alphanumeric (`A-Za-z0-9`), `_` and `-` characters in
+    the `media-id` segment
+
+The resulting set of whitelisted characters allows URL-safe
 base64 encodings specified in RFC 4648. Applying this character
 whitelist is preferable to blacklisting `.` and `/` as there are
 techniques around blacklisted characters (percent-encoded characters,

content/client-server-api/modules/push.md

@@ -83,7 +83,7 @@ Push Ruleset
 :   A push ruleset *scopes a set of rules according to some criteria*. For
     example, some rules may only be applied for messages from a particular
     sender, a particular room, or by default. The push ruleset contains the
-    entire set of scopes and rules.
+    entire set of rules.
 
 #### Push Rules
 
@@ -91,10 +91,8 @@ A push rule is a single rule that states under what *conditions* an
 event should be passed onto a push gateway and *how* the notification
 should be presented. There are different "kinds" of push rules and each
 rule has an associated priority. Every push rule MUST have a `kind` and
-`rule_id`. The `rule_id` is a unique string within the kind of rule and
+`rule_id`. The `rule_id` is a unique string within the kind of rule.
-its' scope: `rule_ids` do not need to be unique between rules of the
+Rules may have extra keys depending on the value of `kind`.
-same kind on different devices. Rules may have extra keys depending on
-the value of `kind`.
 
 The different `kind`s of rule, in the order that they are checked, are: