From 36290dfd5e94c9ca4ba37cf1ab6fd1bd46c1fc3b Mon Sep 17 00:00:00 2001
From: Adam Lavin <adam@lavoaster.co.uk>
Date: Sun, 12 Apr 2015 03:29:23 +0100
Subject: [PATCH] Sanitized output of channel name in invalid channel

---
 lib/web/webserver.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/web/webserver.js b/lib/web/webserver.js
index a969f78b..2b33d24b 100644
--- a/lib/web/webserver.js
+++ b/lib/web/webserver.js
@@ -15,6 +15,7 @@ var static = require("serve-static");
 var morgan = require("morgan");
 var session = require("../session");
 var csrf = require("./csrf");
+var XSS = require("../xss");
 
 const LOG_FORMAT = ':real-address - :remote-user [:date] ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"';
 morgan.token('real-address', function (req) { return req._ip; });
@@ -76,7 +77,7 @@ function redirectHttp(req, res) {
 function handleChannel(req, res) {
     if (!$util.isValidChannelName(req.params.channel)) {
         res.status(404);
-        res.send("Invalid channel name '" + req.params.channel + "'");
+        res.send("Invalid channel name '" + XSS.sanitizeText(req.params.channel) + "'");
         return;
     }