aheh/mirotalk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[mirotalk] - #139 improvements

Browse Source
This commit is contained in:
Miroslav Pejic
2023-02-19 10:12:29 +01:00
parent 83f8db1cfc
commit 947d9830cb
1 changed files with 22 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
public/js/client.js
+22 -7
View File
@@ -4668,7 +4668,7 @@ function handleDataChannelChat(data) {
if (!data) return;
// prevent XSS injection from remote peer through Data Channel
const dataMessage = JSON.parse(filterXSS(JSON.stringify(data)));
const dataMessage = sanitizeXSS(data);
let msgFrom = dataMessage.from;
let msgTo = dataMessage.to;
@@ -5238,14 +5238,20 @@ function openTab(evt, tabName) {
* Update myPeerName to other peers in the room
*/
function updateMyPeerName() {
const myNewPeerName = myPeerNameSet.value;
const myOldPeerName = myPeerName;
// myNewPeerName empty
if (!myNewPeerName) return;
if (!myPeerNameSet.value) return;
// prevent xss execution itself
myPeerNameSet.value = filterXSS(myPeerNameSet.value);
// prevent XSS injection to remote peer
if (isHtml(myNewPeerName)) return userLog('warning', 'Invalid name!');
if (isHtml(myPeerNameSet.value)) {
myPeerNameSet.value = '';
return userLog('warning', 'Invalid name!');
}
const myNewPeerName = myPeerNameSet.value;
const myOldPeerName = myPeerName;
myPeerName = myNewPeerName;
myVideoParagraph.innerHTML = myPeerName + ' (me)';
@@ -6693,7 +6699,7 @@ function sendFileInformations(file, peer_id, broadcast = false) {
return userLog('info', 'No participants detected');
}
// prevent XSS injection to remote peer
// prevent XSS injection to remote peer (fileToSend.name is read only)
if (isHtml(fileToSend.name)) return userLog('warning', 'Invalid file name!');
const fileInfo = {
@@ -7507,3 +7513,12 @@ function getName(name) {
function elemDisplay(elem, yes) {
elem.style.display = yes ? 'inline' : 'none';
}
/**
* Sanitize XSS scripts
* @param {object} src object
* @returns sanitized object
*/
function sanitizeXSS(src) {
return JSON.parse(filterXSS(JSON.stringify(src)));
}