Html escapism

author: RblSb <msrblsb@gmail.com> 2020-02-25 11:58:00 +0300
committer: RblSb <msrblsb@gmail.com> 2020-02-25 11:58:00 +0300
commit: 93410166580465608c370bb36cdc2b953e43b965 (patch)
tree: 134d5401111335014a45cfd2b2528904e42a1b5b /src
parent: d934830a64b915af0b7e8031cb5ef927534c5e86 (diff)
3 files changed, 37 insertions, 23 deletions
diff --git a/src/client/Main.hx b/src/client/Main.hx
index bfcc877..3a819b2 100644
--- a/src/client/Main.hx
+++ b/src/client/Main.hx
@@ -283,7 +283,7 @@ class Main {
 				if (isLeader()) player.setTime(player.getTime(), false);
 
 			case ClearChat:
-				ge("#messagebuffer").innerHTML = "";
+				clearChat();
 
 			case ClearPlaylist:
 				player.clearItems();
@@ -313,7 +313,7 @@ class Main {
 				clientName: guestName.value
 			}
 		});
-		ge("#messagebuffer").innerHTML = "";
+		clearChat();
 		serverMessage(1);
 		for (message in connected.history) {
 			addMessage(message.name, message.text, message.time);
@@ -349,7 +349,7 @@ class Main {
 			form.value += ' ${el.title}';
 			form.focus();
 		}
-		smilesWrap.innerHTML = "";
+		smilesWrap.textContent = "";
 		for (emote in config.emotes) {
 			final img = document.createImageElement();
 			img.className = "smile-preview";
@@ -402,16 +402,16 @@ class Main {
 		switch (type) {
 			case 1:
 				div.className = "server-msg-reconnect";
-				div.innerHTML = Lang.get("msgConnected");
+				div.textContent = Lang.get("msgConnected");
 			case 2:
 				div.className = "server-msg-disconnect";
-				div.innerHTML = Lang.get("msgDisconnected");
+				div.textContent = Lang.get("msgDisconnected");
 			case 3:
 				div.className = "server-whisper";
-				div.innerHTML = time + text + " " + Lang.get("entered");
+				div.textContent = time + text + " " + Lang.get("entered");
 			case 4:
 				div.className = "server-whisper";
-				div.innerHTML = time + text;
+				div.textContent = time + text;
 			default:
 		}
 		msgBuf.appendChild(div);
@@ -420,7 +420,7 @@ class Main {
 
 	function updateUserList():Void {
 		final userCount = ge("#usercount");
-		userCount.innerHTML = clients.length + " " + Lang.get("online");
+		userCount.textContent = clients.length + " " + Lang.get("online");
 		document.title = getPageTitle();
 
 		final list = new StringBuf();
@@ -438,6 +438,10 @@ class Main {
 		return '$pageTitle (${clients.length})';
 	}
 
+	function clearChat():Void {
+		ge("#messagebuffer").textContent = "";
+	}
+
 	function addMessage(name:String, text:String, ?time:String):Void {
 		final msgBuf = ge("#messagebuffer");
 		final userDiv = document.createDivElement();
@@ -446,11 +450,11 @@ class Main {
 		final tstamp = document.createSpanElement();
 		tstamp.className = "timestamp";
 		if (time == null) time = "[" + new Date().toTimeString().split(" ")[0] + "] ";
-		tstamp.innerHTML = time;
+		tstamp.textContent = time;
 
 		final nameDiv = document.createElement("strong");
 		nameDiv.className = "username";
-		nameDiv.innerHTML = name + ": ";
+		nameDiv.textContent = name + ": ";
 
 		final textDiv = document.createSpanElement();
 		if (text.startsWith("/")) {
@@ -460,6 +464,7 @@ class Main {
 				text = filter.regex.replace(text, filter.replace);
 			}
 		}
+		text = text.htmlEscape();
 		textDiv.innerHTML = text;
 
 		final isInChatEnd = msgBuf.scrollHeight - msgBuf.scrollTop == msgBuf.clientHeight;
diff --git a/src/client/Player.hx b/src/client/Player.hx
index c9b10a4..bee9a3c 100644
--- a/src/client/Player.hx
+++ b/src/client/Player.hx
@@ -5,6 +5,7 @@ import js.html.VideoElement;
 import js.Browser.document;
 import client.Main.ge;
 import Types.VideoItem;
+using StringTools;
 using Lambda;
 
 class Player {
@@ -63,16 +64,16 @@ class Player {
 				}
 			});
 		}
-		player.innerHTML = "";
+		player.textContent = "";
 		player.appendChild(video);
-		ge("#currenttitle").innerHTML = item.title;
+		ge("#currenttitle").textContent = item.title;
 	}
 
 	public function addVideoItem(item:VideoItem, atEnd:Bool):Void {
 		items.push(item);
 		final itemEl = nodeFromString(
 			'<li class="queue_entry pluid-0 queue_temp queue_active" title="${Lang.get("addedBy")}: ${item.author}">
-				<a class="qe_title" href="${item.url}" target="_blank">${item.title}</a>
+				<a class="qe_title" href="${item.url}" target="_blank">${item.title.htmlEscape()}</a>
 				<span class="qe_time">${duration(item.duration)}</span>
 				<div class="qe_clear"></div>
 				<div class="btn-group" style="display: inline-block;">
@@ -109,7 +110,7 @@ class Player {
 		if (video == null) return;
 		player.removeChild(video);
 		video = null;
-		ge("#currenttitle").innerHTML = Lang.get("nothingPlaying");
+		ge("#currenttitle").textContent = Lang.get("nothingPlaying");
 	}
 
 	public function removeItem(url:String):Void {
@@ -132,8 +133,8 @@ class Player {
 	}
 
 	function updateCounters():Void {
-		ge("#plcount").innerHTML = '${items.length} ${Lang.get("videos")}';
-		ge("#pllength").innerHTML = totalDuration();
+		ge("#plcount").textContent = '${items.length} ${Lang.get("videos")}';
+		ge("#pllength").textContent = totalDuration();
 	}
 
 	public function getItems():Array<VideoItem> {
@@ -153,7 +154,7 @@ class Player {
 
 	public function clearItems():Void {
 		items.resize(0);
-		videoItemsEl.innerHTML = "";
+		videoItemsEl.textContent = "";
 		updateCounters();
 	}
 
diff --git a/src/server/Main.hx b/src/server/Main.hx
index 271f6ea..9f7534c 100644
--- a/src/server/Main.hx
+++ b/src/server/Main.hx
@@ -180,12 +180,12 @@ class Main {
 				sendClientList();
 			case Login:
 				final name = data.login.clientName;
-				if (name.length == 0 || name.length > config.maxLoginLength
+				if (badNickName(name) || name.length > config.maxLoginLength
 					|| clients.getByName(name) != null) {
 					send(client, {type: LoginError});
 					return;
 				}
-				client.name = data.login.clientName;
+				client.name = name;
 				client.isUser = true;
 				send(client, {
 					type: data.type,
@@ -228,6 +228,7 @@ class Main {
 
 			case AddVideo:
 				final item = data.addVideo.item;
+				item.author = client.name;
 				final localOrigin = '$localIp:$port';
 				if (item.url.indexOf(localOrigin) != -1) {
 					item.url = item.url.replace(localOrigin, '$globalIp:$port');
@@ -245,13 +246,12 @@ class Main {
 			case RemoveVideo:
 				if (videoList.length == 0) return;
 				final url = data.removeVideo.url;
-				if (videoList[0].url == url) {
-					videoTimer.stop();
-					if (videoList.length > 0) restartWaitTimer();
-				}
+				final isFirst = videoList[0].url == url;
+				if (isFirst) videoTimer.stop();
 				videoList.remove(
 					videoList.find(item -> item.url == url)
 				);
+				if (isFirst && videoList.length > 0) restartWaitTimer();
 				broadcast(data);
 
 			case Pause:
@@ -368,6 +368,14 @@ class Main {
 		}
 	}
 
+	final htmlChars = ~/[&^<>'"]/;
+
+	function badNickName(name:String):Bool {
+		if (name.length == 0) return true;
+		if (htmlChars.match(name)) return true;
+		return false;
+	}
+
 	var waitVideoStart:Timer;
 	var loadedClientsCount = 0;
author	RblSb <msrblsb@gmail.com>	2020-02-25 11:58:00 +0300
committer	RblSb <msrblsb@gmail.com>	2020-02-25 11:58:00 +0300
commit	93410166580465608c370bb36cdc2b953e43b965 (patch)
tree	134d5401111335014a45cfd2b2528904e42a1b5b /src
parent	d934830a64b915af0b7e8031cb5ef927534c5e86 (diff)