Prevent XSS injection using 'nick' on presence

Also allows special characters in displayName. Fixes issue #182.
This commit is contained in:
Zalmoxisus 2014-12-03 22:44:03 +02:00
parent 5af92474c3
commit 7b0be8e953
4 changed files with 7 additions and 7 deletions

2
app.js
View File

@ -813,7 +813,7 @@ $(document).bind('entered.muc', function (event, jid, info, pres) {
$(document).bind('left.muc', function (event, jid) { $(document).bind('left.muc', function (event, jid) {
console.log('left.muc', jid); console.log('left.muc', jid);
var displayName = $('#participant_' + Strophe.getResourceFromJid(jid) + var displayName = $('#participant_' + Strophe.getResourceFromJid(jid) +
'>.displayname').text(); '>.displayname').html();
messageHandler.notify(displayName || 'Somebody', messageHandler.notify(displayName || 'Somebody',
'disconnected', 'disconnected',
'disconnected'); 'disconnected');

View File

@ -170,7 +170,7 @@ var ContactList = (function (my) {
var contactName = $('#contactlist #' + resourceJid + '>p'); var contactName = $('#contactlist #' + resourceJid + '>p');
if (contactName && displayName && displayName.length > 0) if (contactName && displayName && displayName.length > 0)
contactName.text(displayName); contactName.html(displayName);
}); });
my.setClickable = function(resourceJid, isClickable) { my.setClickable = function(resourceJid, isClickable) {

2
muc.js
View File

@ -123,7 +123,7 @@ Strophe.addConnectionPlugin('emuc', {
member.role = tmp.attr('role'); member.role = tmp.attr('role');
var nicktag = $(pres).find('>nick[xmlns="http://jabber.org/protocol/nick"]'); var nicktag = $(pres).find('>nick[xmlns="http://jabber.org/protocol/nick"]');
member.displayName = (nicktag.length > 0 ? nicktag.text() : null); member.displayName = (nicktag.length > 0 ? nicktag.html() : null);
if (from == this.myroomjid) { if (from == this.myroomjid) {
if (member.affiliation == 'owner') this.isOwner = true; if (member.affiliation == 'owner') this.isOwner = true;

View File

@ -699,12 +699,12 @@ var VideoLayout = (function (my) {
if (nameSpanElement.id === 'localDisplayName' && if (nameSpanElement.id === 'localDisplayName' &&
$('#localDisplayName').text() !== displayName) { $('#localDisplayName').text() !== displayName) {
if (displayName && displayName.length > 0) if (displayName && displayName.length > 0)
$('#localDisplayName').text(displayName + ' (me)'); $('#localDisplayName').html(displayName + ' (me)');
else else
$('#localDisplayName').text(defaultLocalDisplayName); $('#localDisplayName').text(defaultLocalDisplayName);
} else { } else {
if (displayName && displayName.length > 0) if (displayName && displayName.length > 0)
$('#' + videoSpanId + '_name').text(displayName); $('#' + videoSpanId + '_name').html(displayName);
else else
$('#' + videoSpanId + '_name').text(interfaceConfig.DEFAULT_REMOTE_DISPLAY_NAME); $('#' + videoSpanId + '_name').text(interfaceConfig.DEFAULT_REMOTE_DISPLAY_NAME);
} }
@ -773,7 +773,7 @@ var VideoLayout = (function (my) {
} }
my.inputDisplayNameHandler = function (name) { my.inputDisplayNameHandler = function (name) {
if (nickname !== name) { if (name && nickname !== name) {
nickname = name; nickname = name;
window.localStorage.displayname = nickname; window.localStorage.displayname = nickname;
connection.emuc.addDisplayNameToPresence(nickname); connection.emuc.addDisplayNameToPresence(nickname);
@ -1036,7 +1036,7 @@ var VideoLayout = (function (my) {
var displayName = resourceJid; var displayName = resourceJid;
var nameSpan = $('#' + videoContainerId + '>span.displayname'); var nameSpan = $('#' + videoContainerId + '>span.displayname');
if (nameSpan.length > 0) if (nameSpan.length > 0)
displayName = nameSpan.text(); displayName = nameSpan.html();
console.log("UI enable dominant speaker", console.log("UI enable dominant speaker",
displayName, displayName,