haskal
/
jiti-meet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #205 from Zalmoxisus/master 

Prevent XSS injection using 'nick' tag on presence
This commit is contained in:
bgrozev 2014-12-18 18:24:44 +02:00
parent 3b0fcad39b 7b0be8e953
commit 996b1791d5
4 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app.js
View File

@ -752,7 +752,7 @@ $(document).bind('entered.muc', function (event, jid, info, pres) {
$(document).bind('left.muc', function (event, jid) { $(document).bind('left.muc', function (event, jid) {
console.log('left.muc', jid); console.log('left.muc', jid);
var displayName = $('#participant_' + Strophe.getResourceFromJid(jid) + var displayName = $('#participant_' + Strophe.getResourceFromJid(jid) +
'>.displayname').text(); '>.displayname').html();
messageHandler.notify(displayName || 'Somebody', messageHandler.notify(displayName || 'Somebody',
'disconnected', 'disconnected',
'disconnected'); 'disconnected');

2
contact_list.js
View File

@ -170,7 +170,7 @@ var ContactList = (function (my) {
var contactName = $('#contactlist #' + resourceJid + '>p'); var contactName = $('#contactlist #' + resourceJid + '>p');
if (contactName && displayName && displayName.length > 0) if (contactName && displayName && displayName.length > 0)
contactName.text(displayName); contactName.html(displayName);
}); });
my.setClickable = function(resourceJid, isClickable) { my.setClickable = function(resourceJid, isClickable) {

2
muc.js
View File

@ -132,7 +132,7 @@ Strophe.addConnectionPlugin('emuc', {
} }
var nicktag = $(pres).find('>nick[xmlns="http://jabber.org/protocol/nick"]'); var nicktag = $(pres).find('>nick[xmlns="http://jabber.org/protocol/nick"]');
member.displayName = (nicktag.length > 0 ? nicktag.text() : null); member.displayName = (nicktag.length > 0 ? nicktag.html() : null);
if (from == this.myroomjid) { if (from == this.myroomjid) {
if (member.affiliation == 'owner') this.isOwner = true; if (member.affiliation == 'owner') this.isOwner = true;

8
videolayout.js
View File

@ -751,12 +751,12 @@ var VideoLayout = (function (my) {
if (nameSpanElement.id === 'localDisplayName' && if (nameSpanElement.id === 'localDisplayName' &&
$('#localDisplayName').text() !== displayName) { $('#localDisplayName').text() !== displayName) {
if (displayName && displayName.length > 0) if (displayName && displayName.length > 0)
$('#localDisplayName').text(displayName + ' (me)'); $('#localDisplayName').html(displayName + ' (me)');
else else
$('#localDisplayName').text(defaultLocalDisplayName); $('#localDisplayName').text(defaultLocalDisplayName);
} else { } else {
if (displayName && displayName.length > 0) if (displayName && displayName.length > 0)
$('#' + videoSpanId + '_name').text(displayName); $('#' + videoSpanId + '_name').html(displayName);
else else
$('#' + videoSpanId + '_name').text(interfaceConfig.DEFAULT_REMOTE_DISPLAY_NAME); $('#' + videoSpanId + '_name').text(interfaceConfig.DEFAULT_REMOTE_DISPLAY_NAME);
} }
@ -825,7 +825,7 @@ var VideoLayout = (function (my) {
} }
my.inputDisplayNameHandler = function (name) { my.inputDisplayNameHandler = function (name) {
if (nickname !== name) { if (name && nickname !== name) {
nickname = name; nickname = name;
window.localStorage.displayname = nickname; window.localStorage.displayname = nickname;
connection.emuc.addDisplayNameToPresence(nickname); connection.emuc.addDisplayNameToPresence(nickname);
@ -1097,7 +1097,7 @@ var VideoLayout = (function (my) {
var displayName = resourceJid; var displayName = resourceJid;
var nameSpan = $('#' + videoContainerId + '>span.displayname'); var nameSpan = $('#' + videoContainerId + '>span.displayname');
if (nameSpan.length > 0) if (nameSpan.length > 0)
displayName = nameSpan.text(); displayName = nameSpan.html();
console.log("UI enable dominant speaker", console.log("UI enable dominant speaker",
displayName, displayName,