From 926e64d33465b3333ce6023ddf692e224e7f7485 Mon Sep 17 00:00:00 2001
From: Miroslav Pejic <miroslav.pejic.85@gmail.com>
Date: Tue, 2 Jul 2024 15:21:05 +0200
Subject: [PATCH] [mirotalksfu] - add filterXSS

---
 public/js/RoomClient.js        | 18 +++++++++---------
 public/js/RtmpStreamer.js      |  4 ++--
 public/views/RtmpStreamer.html |  1 +
 3 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/public/js/RoomClient.js b/public/js/RoomClient.js
index a8a40e0b..c7e2ac51 100644
--- a/public/js/RoomClient.js
+++ b/public/js/RoomClient.js
@@ -7466,7 +7466,7 @@ class RoomClient {
     }
 
     async startRTMP() {
-        if (!this.isRTMPVideoSupported(this.selectedRtmpFilename)) {
+        if (!this.isRTMPVideoSupported(filterXSS(this.selectedRtmpFilename))) {
             this.getId('file-name').textContent = '';
             return this.userLog(
                 'warning',
@@ -7477,9 +7477,9 @@ class RoomClient {
 
         this.socket
             .request('startRTMP', {
-                file: this.selectedRtmpFilename,
-                peer_name: this.peer_name,
-                peer_uuid: this.peer_uuid,
+                file: filterXSS(this.selectedRtmpFilename),
+                peer_name: filterXSS(this.peer_name),
+                peer_uuid: filterXSS(this.peer_uuid),
             })
             .then(function (rtmp) {
                 rc.event(_EVENTS.startRTMP);
@@ -7523,7 +7523,7 @@ class RoomClient {
     // ##############################################
 
     startRTMPfromURL(inputVideoURL) {
-        if (!this.isRTMPVideoSupported(inputVideoURL)) {
+        if (!this.isRTMPVideoSupported(filterXSS(inputVideoURL))) {
             this.getId('rtmpStreamURL').value = '';
             return this.userLog(
                 'warning',
@@ -7534,9 +7534,9 @@ class RoomClient {
 
         this.socket
             .request('startRTMPfromURL', {
-                inputVideoURL: inputVideoURL,
-                peer_name: this.peer_name,
-                peer_uuid: this.peer_uuid,
+                inputVideoURL: filterXSS(inputVideoURL),
+                peer_name: filterXSS(this.peer_name),
+                peer_uuid: filterXSS(this.peer_uuid),
             })
             .then(function (rtmp) {
                 rc.event(_EVENTS.startRTMPfromURL);
@@ -7617,7 +7617,7 @@ class RoomClient {
         }
 
         const rtmpUrl = rc.getId('rtmp-url');
-        rtmpUrl.value = rtmp;
+        rtmpUrl.value = filterXSS(rtmp);
 
         Swal.fire({
             background: swalBackground,
diff --git a/public/js/RtmpStreamer.js b/public/js/RtmpStreamer.js
index bca9e2ed..ba956a3f 100644
--- a/public/js/RtmpStreamer.js
+++ b/public/js/RtmpStreamer.js
@@ -12,8 +12,8 @@ const popupMessage = document.getElementById('popupMessage');
 const closePopup = document.getElementById('closePopup');
 
 const qs = new URLSearchParams(window.location.search);
-const videoId = qs.get('v');
-const audioId = qs.get('a');
+const videoId = filterXSS(qs.get('v'));
+const audioId = filterXSS(qs.get('a'));
 
 console.log('Video/Audio id', {
     video: videoId,
diff --git a/public/views/RtmpStreamer.html b/public/views/RtmpStreamer.html
index df17a24b..f507563e 100644
--- a/public/views/RtmpStreamer.html
+++ b/public/views/RtmpStreamer.html
@@ -52,6 +52,7 @@
         <!-- UAParser -->
 
         <script defer src="https://cdn.jsdelivr.net/npm/ua-parser-js@latest/dist/ua-parser.min.js"></script>
+        <script defer src="https://cdn.jsdelivr.net/npm/xss/dist/xss.min.js"></script>
 
         <!-- JS scripts -->
         <script defer src="../js/Brand.js"></script>