From c78ef333da6f039210fee98ef8821f14ee9131b0 Mon Sep 17 00:00:00 2001
From: Calvin Montgomery <calzoneman@gmail.com>
Date: Wed, 11 Jan 2023 17:57:02 -0800
Subject: [PATCH] Fix a couple issues discussed on IRC

---
 integration_test/channel/kickban.js | 19 +++++++++++++++++++
 package.json                        |  2 +-
 player/custom-embed.coffee          | 15 +++++++++++++--
 src/channel/kickban.js              | 12 ++++++++++--
 4 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/integration_test/channel/kickban.js b/integration_test/channel/kickban.js
index f153bb93..d992bf61 100644
--- a/integration_test/channel/kickban.js
+++ b/integration_test/channel/kickban.js
@@ -110,6 +110,25 @@ describe('KickbanModule', () => {
             );
         });
 
+        it('rejects if the username is invalid', done => {
+            mockUser.socket.emit = (frame, obj) => {
+                if (frame === 'errorMsg') {
+                    assert.strictEqual(
+                        obj.msg,
+                        'Invalid username'
+                    );
+
+                    done();
+                }
+            };
+
+            kickban.handleCmdBan(
+                mockUser,
+                '/ban test_user<>%$# because reasons',
+                {}
+            );
+        });
+
         it('rejects if the user does not have ban permission', done => {
             mockUser.socket.emit = (frame, obj) => {
                 if (frame === 'errorMsg') {
diff --git a/package.json b/package.json
index 0ba85f5c..3abee162 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "author": "Calvin Montgomery",
   "name": "CyTube",
   "description": "Online media synchronizer and chat",
-  "version": "3.84.0",
+  "version": "3.85.0",
   "repository": {
     "url": "http://github.com/calzoneman/sync"
   },
diff --git a/player/custom-embed.coffee b/player/custom-embed.coffee
index f03fcf44..516b284f 100644
--- a/player/custom-embed.coffee
+++ b/player/custom-embed.coffee
@@ -15,8 +15,19 @@ window.CustomEmbedPlayer = class CustomEmbedPlayer extends EmbedPlayer
             return
 
         embedSrc = data.meta.embed.src
-        link = "<a href=\"#{embedSrc}\" target=\"_blank\"><strong>#{embedSrc}</strong></a>"
-        alert = makeAlert('Untrusted Content', CUSTOM_EMBED_WARNING.replace('%link%', link),
+
+        link = document.createElement('a')
+        link.href = embedSrc
+        link.target = '_blank'
+        link.rel = 'noopener noreferer'
+
+        strong = document.createElement('strong')
+        strong.textContent = embedSrc
+        link.appendChild(strong)
+
+        # TODO: Ideally makeAlert() would allow optionally providing a DOM
+        # element instead of requiring HTML text
+        alert = makeAlert('Untrusted Content', CUSTOM_EMBED_WARNING.replace('%link%', link.outerHTML),
             'alert-warning')
             .removeClass('col-md-12')
         $('<button/>').addClass('btn btn-default')
diff --git a/src/channel/kickban.js b/src/channel/kickban.js
index e5001d5f..c49d48e4 100644
--- a/src/channel/kickban.js
+++ b/src/channel/kickban.js
@@ -4,6 +4,7 @@ var Flags = require("../flags");
 var util = require("../utilities");
 var Account = require("../account");
 import Promise from 'bluebird';
+const XSS = require("../xss");
 
 const dbIsNameBanned = Promise.promisify(db.channels.isNameBanned);
 const dbIsIPBanned = Promise.promisify(db.channels.isIPBanned);
@@ -261,7 +262,6 @@ KickBanModule.prototype.handleCmdIPBan = function (user, msg, _meta) {
     chan.refCounter.ref("KickBanModule::handleCmdIPBan");
 
     this.banAll(user, name, range, reason).catch(error => {
-        //console.log('!!!', error.stack);
         const message = error.message || error;
         user.socket.emit("errorMsg", { msg: message });
     }).then(() => {
@@ -276,6 +276,10 @@ KickBanModule.prototype.checkChannelAlive = function checkChannelAlive() {
 };
 
 KickBanModule.prototype.banName = async function banName(actor, name, reason) {
+    if (!util.isValidUserName(name)) {
+        throw new Error("Invalid username");
+    }
+
     reason = reason.substring(0, 255);
 
     var chan = this.channel;
@@ -323,6 +327,9 @@ KickBanModule.prototype.banName = async function banName(actor, name, reason) {
 };
 
 KickBanModule.prototype.banIP = async function banIP(actor, ip, name, reason) {
+    if (!util.isValidUserName(name)) {
+        throw new Error("Invalid username");
+    }
     reason = reason.substring(0, 255);
     var masked = util.cloakIP(ip);
 
@@ -445,8 +452,9 @@ KickBanModule.prototype.handleUnban = function (user, data) {
         self.channel.logger.log("[mod] " + user.getName() + " unbanned " + data.name);
         if (self.channel.modules.chat) {
             var banperm = self.channel.modules.permissions.permissions.ban;
+            // TODO: quick fix, shouldn't trust name from unban frame.
             self.channel.modules.chat.sendModMessage(
-                user.getName() + " unbanned " + data.name,
+                user.getName() + " unbanned " + XSS.sanitizeText(data.name),
                 banperm
             );
         }