[mirotalksfu] - fix xss

app/src/Server.js

@@ -217,7 +217,7 @@ function startServer() {
         if (hostCfg.protected == true) {
             let ip = getIP(req);
             log.debug(`Request login to host from: ${ip}`, req.query);
-            const { username, password } = req.query;
+            const { username, password } = checkXSS(req.query);
             if (username == hostCfg.username && password == hostCfg.password) {
                 hostCfg.authenticated = true;
                 authHost = new Host(ip, true);
@@ -253,7 +253,7 @@ function startServer() {
         if (hostCfg.authenticated && Object.keys(req.query).length > 0) {
             log.debug('Direct Join', req.query);
             // http://localhost:3010/join?room=test&password=0&name=mirotalksfu&audio=1&video=1&screen=1&notify=1
-            const { room, password, name, audio, video, screen, notify } = req.query;
+            const { room, password, name, audio, video, screen, notify } = checkXSS(req.query);
             if (room && password && name && audio && video && screen && notify) {
                 return res.sendFile(views.room);
             }

app/src/XSS.js

@@ -10,7 +10,7 @@ const checkXSS = (dataObject) => {
         log.debug('Sanitization done');
         return JSON.parse(data);
     }
-    return dataObject;
+    return xss(dataObject);
 };
 
 module.exports = checkXSS;

public/views/login.html

@@ -51,6 +51,9 @@
 
         <script src="https://unpkg.com/animejs@3.0.1/lib/anime.min.js"></script>
         <script src="https://unpkg.com/scrollreveal@4.0.0/dist/scrollreveal.min.js"></script>
+
+        <!-- xss -->
+        <script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
     </head>
     <body class="is-boxed has-animations">
         <div class="body-wrap">
@@ -125,8 +128,8 @@
                                     };
 
                                     function login() {
-                                        let username = document.getElementById('username').value;
-                                        let password = document.getElementById('password').value;
+                                        const username = filterXSS(document.getElementById('username').value);
+                                        const password = filterXSS(document.getElementById('password').value);
 
                                         if (username && password) {
                                             window.location.href = `/login?username=${username}&password=${password}`;

public/views/permission.html

@@ -42,6 +42,9 @@
 
         <script src="https://unpkg.com/animejs@3.0.1/lib/anime.min.js"></script>
         <script src="https://unpkg.com/scrollreveal@4.0.0/dist/scrollreveal.min.js"></script>
+
+        <!-- xss -->
+        <script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
     </head>
     <body class="is-boxed has-animations">
         <div class="body-wrap">
@@ -72,8 +75,8 @@
                                 </p>
                                 <script>
                                     let qs = new URLSearchParams(window.location.search);
-                                    let room_id = qs.get('room_id');
-                                    let message = qs.get('message');
+                                    let room_id = filterXSS(qs.get('room_id'));
+                                    let message = filterXSS(qs.get('message'));
                                     console.log('Allow Camera or Audio', {
                                         room_id: room_id,
                                         message: message,