jfinn
/
jitsi_corner8
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Prevent XSS injection using 'nick' on presence 

Also allows special characters in displayName. Fixes issue #182.
j8
Zalmoxisus 11 years ago
parent
5af92474c3
commit
7b0be8e953
4 changed files with 7 additions and 7 deletions
Split View Show Diff Stats
  1. 1
    1
      app.js
  2. 1
    1
      contact_list.js
  3. 1
    1
      muc.js
  4. 4
    4
      videolayout.js

+ 1
- 1
app.js View File 

@@ -813,7 +813,7 @@ $(document).bind('entered.muc', function (event, jid, info, pres) {
813 813 
 $(document).bind('left.muc', function (event, jid) {
814 814 
     console.log('left.muc', jid);
815 815 
     var displayName = $('#participant_' + Strophe.getResourceFromJid(jid) +
816 
-        '>.displayname').text();
816 
+        '>.displayname').html();
817 817 
     messageHandler.notify(displayName || 'Somebody',
818 818 
         'disconnected',
819 819 
         'disconnected');

+ 1
- 1
contact_list.js View File 

@@ -170,7 +170,7 @@ var ContactList = (function (my) {
170 170 
         var contactName = $('#contactlist #' + resourceJid + '>p');
171 171
172 172 
         if (contactName && displayName && displayName.length > 0)
173 
-            contactName.text(displayName);
173 
+            contactName.html(displayName);
174 174 
     });
175 175
176 176 
     my.setClickable = function(resourceJid, isClickable) {

+ 1
- 1
muc.js View File 

@@ -123,7 +123,7 @@ Strophe.addConnectionPlugin('emuc', {
123 123 
         member.role = tmp.attr('role');
124 124
125 125 
         var nicktag = $(pres).find('>nick[xmlns="http://jabber.org/protocol/nick"]');
126 
-        member.displayName = (nicktag.length > 0 ? nicktag.text() : null);
126 
+        member.displayName = (nicktag.length > 0 ? nicktag.html() : null);
127 127
128 128 
         if (from == this.myroomjid) {
129 129 
             if (member.affiliation == 'owner') this.isOwner = true;

+ 4
- 4
videolayout.js View File 

@@ -699,12 +699,12 @@ var VideoLayout = (function (my) {
699 699 
             if (nameSpanElement.id === 'localDisplayName' &&
700 700 
                 $('#localDisplayName').text() !== displayName) {
701 701 
                 if (displayName && displayName.length > 0)
702 
-                    $('#localDisplayName').text(displayName + ' (me)');
702 
+                    $('#localDisplayName').html(displayName + ' (me)');
703 703 
                 else
704 704 
                     $('#localDisplayName').text(defaultLocalDisplayName);
705 705 
             } else {
706 706 
                 if (displayName && displayName.length > 0)
707 
-                    $('#' + videoSpanId + '_name').text(displayName);
707 
+                    $('#' + videoSpanId + '_name').html(displayName);
708 708 
                 else
709 709 
                     $('#' + videoSpanId + '_name').text(interfaceConfig.DEFAULT_REMOTE_DISPLAY_NAME);
710 710 
             }
 
@@ -773,7 +773,7 @@ var VideoLayout = (function (my) {
773 773 
     }
774 774
775 775 
     my.inputDisplayNameHandler = function (name) {
776 
-        if (nickname !== name) {
776 
+        if (name && nickname !== name) {
777 777 
             nickname = name;
778 778 
             window.localStorage.displayname = nickname;
779 779 
             connection.emuc.addDisplayNameToPresence(nickname);
 
@@ -1036,7 +1036,7 @@ var VideoLayout = (function (my) {
1036 1036 
         var displayName = resourceJid;
1037 1037 
         var nameSpan = $('#' + videoContainerId + '>span.displayname');
1038 1038 
         if (nameSpan.length > 0)
1039 
-            displayName = nameSpan.text();
1039 
+            displayName = nameSpan.html();
1040 1040
1041 1041 
         console.log("UI enable dominant speaker",
1042 1042 
             displayName,

Write Preview
Loading…
Cancel
Save