jfinn
/
jitsi_mod
关注 1
点赞 0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
浏览代码

Prevent XSS injection using 'nick' on presence 

Also allows special characters in displayName. Fixes issue #182.
master
Zalmoxisus 11 年前
父节点
5af92474c3
当前提交
7b0be8e953
共有 4 个文件被更改,包括 7 次插入7 次删除
合并视图 显示文件统计
  1. 1
    1
      app.js
  2. 1
    1
      contact_list.js
  3. 1
    1
      muc.js
  4. 4
    4
      videolayout.js

+ 1
- 1
app.js 查看文件

813 
 $(document).bind('left.muc', function (event, jid) {
 813 
 $(document).bind('left.muc', function (event, jid) {
814 
     console.log('left.muc', jid);
 814 
     console.log('left.muc', jid);
815 
     var displayName = $('#participant_' + Strophe.getResourceFromJid(jid) +
 815 
     var displayName = $('#participant_' + Strophe.getResourceFromJid(jid) +
816 
-        '>.displayname').text();
816 
+        '>.displayname').html();
817 
     messageHandler.notify(displayName || 'Somebody',
 817 
     messageHandler.notify(displayName || 'Somebody',
818 
         'disconnected',
 818 
         'disconnected',
819 
         'disconnected');
 819 
         'disconnected');

+ 1
- 1
contact_list.js 查看文件

170 
         var contactName = $('#contactlist #' + resourceJid + '>p');
 170 
         var contactName = $('#contactlist #' + resourceJid + '>p');
171
171
172 
         if (contactName && displayName && displayName.length > 0)
 172 
         if (contactName && displayName && displayName.length > 0)
173 
-            contactName.text(displayName);
173 
+            contactName.html(displayName);
174 
     });
 174 
     });
175
175
176 
     my.setClickable = function(resourceJid, isClickable) {
 176 
     my.setClickable = function(resourceJid, isClickable) {

+ 1
- 1
muc.js 查看文件

123 
         member.role = tmp.attr('role');
 123 
         member.role = tmp.attr('role');
124
124
125 
         var nicktag = $(pres).find('>nick[xmlns="http://jabber.org/protocol/nick"]');
 125 
         var nicktag = $(pres).find('>nick[xmlns="http://jabber.org/protocol/nick"]');
126 
-        member.displayName = (nicktag.length > 0 ? nicktag.text() : null);
126 
+        member.displayName = (nicktag.length > 0 ? nicktag.html() : null);
127
127
128 
         if (from == this.myroomjid) {
 128 
         if (from == this.myroomjid) {
129 
             if (member.affiliation == 'owner') this.isOwner = true;
 129 
             if (member.affiliation == 'owner') this.isOwner = true;

+ 4
- 4
videolayout.js 查看文件

699 
             if (nameSpanElement.id === 'localDisplayName' &&
 699 
             if (nameSpanElement.id === 'localDisplayName' &&
700 
                 $('#localDisplayName').text() !== displayName) {
 700 
                 $('#localDisplayName').text() !== displayName) {
701 
                 if (displayName && displayName.length > 0)
 701 
                 if (displayName && displayName.length > 0)
702 
-                    $('#localDisplayName').text(displayName + ' (me)');
702 
+                    $('#localDisplayName').html(displayName + ' (me)');
703 
                 else
 703 
                 else
704 
                     $('#localDisplayName').text(defaultLocalDisplayName);
 704 
                     $('#localDisplayName').text(defaultLocalDisplayName);
705 
             } else {
 705 
             } else {
706 
                 if (displayName && displayName.length > 0)
 706 
                 if (displayName && displayName.length > 0)
707 
-                    $('#' + videoSpanId + '_name').text(displayName);
707 
+                    $('#' + videoSpanId + '_name').html(displayName);
708 
                 else
 708 
                 else
709 
                     $('#' + videoSpanId + '_name').text(interfaceConfig.DEFAULT_REMOTE_DISPLAY_NAME);
 709 
                     $('#' + videoSpanId + '_name').text(interfaceConfig.DEFAULT_REMOTE_DISPLAY_NAME);
710 
             }
 710 
             }
773 
     }
 773 
     }
774
774
775 
     my.inputDisplayNameHandler = function (name) {
 775 
     my.inputDisplayNameHandler = function (name) {
776 
-        if (nickname !== name) {
776 
+        if (name && nickname !== name) {
777 
             nickname = name;
 777 
             nickname = name;
778 
             window.localStorage.displayname = nickname;
 778 
             window.localStorage.displayname = nickname;
779 
             connection.emuc.addDisplayNameToPresence(nickname);
 779 
             connection.emuc.addDisplayNameToPresence(nickname);
1036 
         var displayName = resourceJid;
 1036 
         var displayName = resourceJid;
1037 
         var nameSpan = $('#' + videoContainerId + '>span.displayname');
 1037 
         var nameSpan = $('#' + videoContainerId + '>span.displayname');
1038 
         if (nameSpan.length > 0)
 1038 
         if (nameSpan.length > 0)
1039 
-            displayName = nameSpan.text();
1039 
+            displayName = nameSpan.html();
1040
1040
1041 
         console.log("UI enable dominant speaker",
 1041 
         console.log("UI enable dominant speaker",
1042 
             displayName,
 1042 
             displayName,

撰写 预览
正在加载...
取消
保存