Escapes html special chars and makes invitation field non-editable.

app.js

             roomnode = path.substr(1).toLowerCase();
         } else {
             roomnode = Math.random().toString(36).substr(2, 20);
-            window.history.pushState('VideoChat', 'Room: ' + roomnode, window.location.pathname + roomnode);
+            window.history.pushState('VideoChat',
+                    'Room: ' + roomnode, window.location.pathname + roomnode);
         }
     }
 
     var remotes = document.getElementById('remoteVideos');
 
     if (data.peerjid) {
-        container  = document.getElementById('participant_' + Strophe.getResourceFromJid(data.peerjid));
+        container  = document.getElementById(
+                'participant_' + Strophe.getResourceFromJid(data.peerjid));
         if (!container) {
             console.warn('no container for', data.peerjid);
             // create for now...
             // FIXME: should be removed
-            container = addRemoteVideoContainer('participant_' + Strophe.getResourceFromJid(data.peerjid));
+            container = addRemoteVideoContainer(
+                    'participant_' + Strophe.getResourceFromJid(data.peerjid));
         } else {
             //console.log('found container for', data.peerjid);
         }
                 });
 
     $('#presentation>iframe').attr('id', preziPlayer.options.preziId);
-                 
+
     preziPlayer.on(PreziPlayer.EVENT_STATUS, function(event) {
         console.log("prezi status", event.value);
         if (event.value == PreziPlayer.STATUS_CONTENT_READY) {
                      if(v)
                      {
                         var lockKey = document.getElementById('lockKey');
-                     
+
                         if (lockKey.value)
                         {
-                            setSharedKey(lockKey.value);
+                            setSharedKey(Util.escapeHtml(lockKey.value));
                             lockRoom(true);
                         }
                      }
  * Opens the invite link dialog.
  */
 function openLinkDialog() {
-    $.prompt('<input id="inviteLinkRef" type="text" value="' + roomUrl + '" onclick="this.select();">',
+    $.prompt('<input id="inviteLinkRef" type="text" value="'
+            + encodeURI(roomUrl) + '" onclick="this.select();" readonly>',
              {
              title: "Share this link with everyone you want to invite",
              persistent: false,
 
                         if ($('#requireNicknames').is(":checked"))
                         {
-                            // it is checked                        
+                            // it is checked
                         }
              /*
                         var lockKey = document.getElementById('lockKey');
         });
     }
     else if (preziPlayer != null) {
-        $.prompt("Another participant is already sharing a Prezi. This conference allows only one Prezi at a time.",
+        $.prompt("Another participant is already sharing a Prezi." +
+                "This conference allows only one Prezi at a time.",
                  {
                  title: "Share a Prezi",
                  buttons: { "Ok": true},
 
                     if (preziUrl.value)
                     {
-                        if (preziUrl.value.indexOf('http://prezi.com/') != 0
-                            && preziUrl.value.indexOf('https://prezi.com/') != 0)
+                        var urlValue
+                            = encodeURI(Util.escapeHtml(preziUrl.value));
+
+                        if (urlValue.indexOf('http://prezi.com/') != 0
+                            && urlValue.indexOf('https://prezi.com/') != 0)
                         {
                             $.prompt.goToState('state1');
                             return false;
                         }
                         else {
-                            var presIdTmp = preziUrl.value.substring(preziUrl.value.indexOf("prezi.com/") + 10);
-                            if (presIdTmp.indexOf('/') < 2) {
+                            var presIdTmp = urlValue.substring(urlValue.indexOf("prezi.com/") + 10);
+                            if (!Util.isAlphanumeric(presIdTmp)
+                                    || presIdTmp.indexOf('/') < 2) {
                                 $.prompt.goToState('state1');
                                 return false;
                             }
                             else {
-                                connection.emuc.addPreziToPresence(preziUrl.value, 0);
+                                connection.emuc.addPreziToPresence(urlValue, 0);
                                 connection.emuc.sendPresence();
                                 $.prompt.close();
                             }
         };
 
         var myPrompt = jQuery.prompt(openPreziState);
-        
+
         myPrompt.on('impromptu:loaded', function(e) {
                     document.getElementById('preziUrl').focus();
                     });
         connection.emuc.lockRoom(sharedKey);
     else
         connection.emuc.lockRoom('');
-    
+
     updateLockButton();
 }
 
  * Shows the display name for the given video.
  */
 function showDisplayName(videoSpanId, displayName) {
+    var escDisplayName = Util.escapeHtml(displayName);
+
     var nameSpan = $('#' + videoSpanId + '>span.displayname');
 
     // If we already have a display name for this video.
         var nameSpanElement = nameSpan.get(0);
 
         if (nameSpanElement.id == 'localDisplayName'
-            && $('#localDisplayName').html() != displayName)
-            $('#localDisplayName').html(displayName);
+            && $('#localDisplayName').html() != escDisplayName)
+            $('#localDisplayName').html(escDisplayName);
         else
-            $('#' + videoSpanId + '_name').html(displayName);
+            $('#' + videoSpanId + '_name').html(escDisplayName);
     }
     else {
         var editButton = null;
+
         if (videoSpanId == 'localVideoContainer') {
             editButton = createEditDisplayNameButton();
         }
-
-        if (displayName.length) {
+        if (escDisplayName.length) {
             nameSpan = document.createElement('span');
             nameSpan.className = 'displayname';
-            nameSpan.innerHTML = displayName;
+            nameSpan.innerHTML = escDisplayName;
             $('#' + videoSpanId)[0].appendChild(nameSpan);
         }
 
         else {
             nameSpan.id = 'localDisplayName';
             $('#' + videoSpanId)[0].appendChild(editButton);
-            
+
             var editableText = document.createElement('input');
             editableText.className = 'displayname';
             editableText.id = 'editDisplayName';
 
-            if (displayName.length)
-                editableText.value = displayName.substring(0, displayName.indexOf(' (me)'));
+            if (escDisplayName.length)
+                editableText.value
+                    = escDisplayName.substring(0, escDisplayName.indexOf(' (me)'));
 
             editableText.setAttribute('style', 'display:none;');
             editableText.setAttribute('placeholder', 'ex. Jane Pink');
 
                 var inputDisplayNameHandler = function(name) {
                     if (nickname != name) {
-                        nickname = name;
+                        nickname = Util.escapeHtml(name);
                         window.localStorage.displayname = nickname;
                         connection.emuc.addDisplayNameToPresence(nickname);
                         connection.emuc.sendPresence();
                     }
 
                     if (!$('#localDisplayName').is(":visible")) {
-                        $('#localDisplayName').html(name + " (me)");
+                        $('#localDisplayName').html(nickname + " (me)");
                         $('#localDisplayName').show();
                         $('#editDisplayName').hide();
                     }

chat.js

         $('#nickinput').keydown(function(event) {
             if (event.keyCode == 13) {
                 event.preventDefault();
-                var val = this.value;
+                var val = Util.escapeHtml(this.value);
                 this.value = '';
                 if (!nickname) {
                     nickname = val;
         $('#usermsg').keydown(function(event) {
             if (event.keyCode == 13) {
                 event.preventDefault();
-                var message = this.value;
+                var message = Util.escapeHtml(this.value);
                 $('#usermsg').val('').trigger('autosize.resize');
                 this.focus();
                 connection.emuc.sendMessage(message, nickname);
         }
 
         //replace links and smileys
-        message = processReplacements(message);
+        var escMessage = Util.escapeHtml(message);
+        var escDisplayName = Util.escapeHtml(displayName);
+        message = processReplacements(escMessage);
 
         $('#chatconversation').append('<div class="' + divClassName + '"><b>'
-                                        + displayName + ': </b>'
+                                        + escDisplayName + ': </b>'
                                         + message + '</div>');
         $('#chatconversation').animate(
                 { scrollTop: $('#chatconversation')[0].scrollHeight}, 1000);

util.js

         document.getElementById(id).play();
     };
 
+    /**
+     * Escapes the given text.
+     */
+    my.escapeHtml = function(unsafeText) {
+        return $('<div/>').text(unsafeText).html();
+    };
+
+    /**
+     * Indicates if the given string is an alphanumeric string.
+     * Note that some special characters are also allowed (-, _ , /) for the
+     * purpose of checking URIs. (FIXME: This should maybe moved to another not
+     * so generic method in the future.)
+     */
+    my.isAlphanumeric = function(unsafeText) {
+        var regex = /^[a-z0-9-_\/]+$/i;
+        return regex.test(unsafeText);
+    };
+
     return my;
 }(Util || {}));