From 93410166580465608c370bb36cdc2b953e43b965 Mon Sep 17 00:00:00 2001
From: RblSb <msrblsb@gmail.com>
Date: Tue, 25 Feb 2020 11:58:00 +0300
Subject: Html escapism

---
 src/server/Main.hx | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

(limited to 'src/server/Main.hx')

diff --git a/src/server/Main.hx b/src/server/Main.hx
index 271f6ea..9f7534c 100644
--- a/src/server/Main.hx
+++ b/src/server/Main.hx
@@ -180,12 +180,12 @@ class Main {
 				sendClientList();
 			case Login:
 				final name = data.login.clientName;
-				if (name.length == 0 || name.length > config.maxLoginLength
+				if (badNickName(name) || name.length > config.maxLoginLength
 					|| clients.getByName(name) != null) {
 					send(client, {type: LoginError});
 					return;
 				}
-				client.name = data.login.clientName;
+				client.name = name;
 				client.isUser = true;
 				send(client, {
 					type: data.type,
@@ -228,6 +228,7 @@ class Main {
 
 			case AddVideo:
 				final item = data.addVideo.item;
+				item.author = client.name;
 				final localOrigin = '$localIp:$port';
 				if (item.url.indexOf(localOrigin) != -1) {
 					item.url = item.url.replace(localOrigin, '$globalIp:$port');
@@ -245,13 +246,12 @@ class Main {
 			case RemoveVideo:
 				if (videoList.length == 0) return;
 				final url = data.removeVideo.url;
-				if (videoList[0].url == url) {
-					videoTimer.stop();
-					if (videoList.length > 0) restartWaitTimer();
-				}
+				final isFirst = videoList[0].url == url;
+				if (isFirst) videoTimer.stop();
 				videoList.remove(
 					videoList.find(item -> item.url == url)
 				);
+				if (isFirst && videoList.length > 0) restartWaitTimer();
 				broadcast(data);
 
 			case Pause:
@@ -368,6 +368,14 @@ class Main {
 		}
 	}
 
+	final htmlChars = ~/[&^<>'"]/;
+
+	function badNickName(name:String):Bool {
+		if (name.length == 0) return true;
+		if (htmlChars.match(name)) return true;
+		return false;
+	}
+
 	var waitVideoStart:Timer;
 	var loadedClientsCount = 0;
 
-- 
cgit v1.2.3