Fix potential Cross-site Scripting (XSS) exploits in demos #2817
+93
−25
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch addresses an issue in the TextRoom demo found by @SoufElhabti (thanks!). Specifically, while we were escaping incoming messages before adding them to the page, we weren't doing the same for display names: since they would be added to the HTML as-is as well, this could cause bad things to happen. See CVE-2021-4020 for details.
This patch fixes that vulnerability in the demo, but it also got me thinking about other demos, where we do similar things with display names, descriptions, etc. In some demos we have checks on what you can put in a display name (e.g., by enforcing alphanumeric values), but those don't protect you from users joining via other means (e.g,, a webpage accessing the same VideoRoom but without the check). As such, I've modified the other demos as well to escape those values that may need it.
I've already updated the demos online with the fix, so it shouldn't be an issue anymore for people using those. I'm planning to merge this patch soon, so please let me know if I missed some file/value.