Merge pull request #205 from Zalmoxisus/master

Prevent XSS injection using 'nick' tag on presence
2014-12-18 18:24:44 +02:00 · 2014-12-18 18:24:44 +02:00 · 996b1791d5
parent 3b0fcad39b 7b0be8e953
commit 996b1791d5
4 changed files with 7 additions and 7 deletions
--- a/app.js
+++ b/app.js
@ -752,7 +752,7 @@ $(document).bind('entered.muc', function (event, jid, info, pres) {
 $(document).bind('left.muc', function (event, jid) {
    console.log('left.muc', jid);
    var displayName = $('#participant_' + Strophe.getResourceFromJid(jid) +
-        '>.displayname').text();
+        '>.displayname').html();
    messageHandler.notify(displayName || 'Somebody',
        'disconnected',
        'disconnected');
--- a/contact_list.js
+++ b/contact_list.js
@ -170,7 +170,7 @@ var ContactList = (function (my) {
        var contactName = $('#contactlist #' + resourceJid + '>p');

        if (contactName && displayName && displayName.length > 0)
-            contactName.text(displayName);
+            contactName.html(displayName);
    });

    my.setClickable = function(resourceJid, isClickable) {
--- a/muc.js
+++ b/muc.js
@ -132,7 +132,7 @@ Strophe.addConnectionPlugin('emuc', {
        }

        var nicktag = $(pres).find('>nick[xmlns="http://jabber.org/protocol/nick"]');
-        member.displayName = (nicktag.length > 0 ? nicktag.text() : null);
+        member.displayName = (nicktag.length > 0 ? nicktag.html() : null);

        if (from == this.myroomjid) {
            if (member.affiliation == 'owner') this.isOwner = true;
--- a/videolayout.js
+++ b/videolayout.js
@ -751,12 +751,12 @@ var VideoLayout = (function (my) {
            if (nameSpanElement.id === 'localDisplayName' &&
                $('#localDisplayName').text() !== displayName) {
                if (displayName && displayName.length > 0)
-                    $('#localDisplayName').text(displayName + ' (me)');
+                    $('#localDisplayName').html(displayName + ' (me)');
                else
                    $('#localDisplayName').text(defaultLocalDisplayName);
            } else {
                if (displayName && displayName.length > 0)
-                    $('#' + videoSpanId + '_name').text(displayName);
+                    $('#' + videoSpanId + '_name').html(displayName);
                else
                    $('#' + videoSpanId + '_name').text(interfaceConfig.DEFAULT_REMOTE_DISPLAY_NAME);
            }
@ -825,7 +825,7 @@ var VideoLayout = (function (my) {
    }

    my.inputDisplayNameHandler = function (name) {
-        if (nickname !== name) {
+        if (name && nickname !== name) {
            nickname = name;
            window.localStorage.displayname = nickname;
            connection.emuc.addDisplayNameToPresence(nickname);
@ -1097,7 +1097,7 @@ var VideoLayout = (function (my) {
        var displayName = resourceJid;
        var nameSpan = $('#' + videoContainerId + '>span.displayname');
        if (nameSpan.length > 0)
-            displayName = nameSpan.text();
+            displayName = nameSpan.html();

        console.log("UI enable dominant speaker",
            displayName,