diff --git a/channel.js b/channel.js index daa3720f..9350053e 100644 --- a/channel.js +++ b/channel.js @@ -26,6 +26,7 @@ var ChatCommand = require("./chatcommand.js"); var Filter = require("./filter.js").Filter; var ActionLog = require("./actionlog"); var Playlist = require("./playlist"); +var sanitize = require("validator").sanitize; var Channel = function(name) { Logger.syslog.log("Opening channel " + name); @@ -1574,6 +1575,7 @@ Channel.prototype.tryUpdateFilter = function(user, f) { var re = f.source; var flags = f.flags; + f.replace = sanitize(f.replace).xss(); try { new RegExp(re, flags); } @@ -1676,6 +1678,7 @@ Channel.prototype.trySetJS = function(user, data) { Channel.prototype.updateMotd = function(motd) { var html = motd.replace(/\n/g, "
"); + html = sanitize(html).xss(); //html = this.filterMessage(html); this.motd = { motd: motd, @@ -1762,8 +1765,7 @@ Channel.prototype.filterMessage = function(msg) { Channel.prototype.sendMessage = function(username, msg, msgclass, data) { // I don't want HTML from strangers - msg = msg.replace(/&/g, "&"); - msg = msg.replace(//g, ">"); + msg = sanitize(msg).escape(); msg = this.filterMessage(msg); var msgobj = { username: username, diff --git a/package.json b/package.json index 37546e0b..25d2455f 100644 --- a/package.json +++ b/package.json @@ -12,6 +12,7 @@ "mysql-libmysqlclient": "*", "node_hash": "*", "bcrypt": "*", - "nodemailer": "*" + "nodemailer": "*", + "validator": "*" } } diff --git a/www/assets/js/callbacks.js b/www/assets/js/callbacks.js index 2d6d2f0e..1426b1d9 100644 --- a/www/assets/js/callbacks.js +++ b/www/assets/js/callbacks.js @@ -106,8 +106,9 @@ Callbacks = { setMotd: function(data) { CHANNEL.motd = data.html; + CHANNEL.motd_text = data.motd; $("#motd").html(data.html); - $("#motdtext").val(CHANNEL.motd); + $("#motdtext").val(CHANNEL.motd_text); if(data.motd != "") $("#motd").show(); else diff --git a/www/assets/js/data.js b/www/assets/js/data.js index 1f46df13..7297df45 100644 --- a/www/assets/js/data.js +++ b/www/assets/js/data.js @@ -29,6 +29,7 @@ var CHANNEL = { css: "", js: "", motd: "", + motd_text: "", name: false }; diff --git a/www/assets/js/util.js b/www/assets/js/util.js index fbcb4cb6..3dac7085 100644 --- a/www/assets/js/util.js +++ b/www/assets/js/util.js @@ -788,7 +788,7 @@ function handleModPermissions() { $("#opt_voteskip_ratio").val(CHANNEL.opts.voteskip_ratio); $("#csstext").val(CHANNEL.css); $("#jstext").val(CHANNEL.js); - $("#motdtext").val(CHANNEL.motd); + $("#motdtext").val(CHANNEL.motd_text); setVisible("#permedit_tab", CLIENT.rank >= 3); setVisible("#banlist_tab", hasPermission("ban")); setVisible("#motdedit_tab", hasPermission("motdedit"));