[mirotalksfu] - safety improvements

app/src/Server.js

@@ -259,8 +259,8 @@ function startServer() {
         res.redirect('/');
     });
 
-    // join room
+    // join room by id
-    app.get('/join/*', (req, res) => {
+    app.get('/join/:roomId', (req, res) => {
         if (hostCfg.authenticated) {
             res.sendFile(views.room);
         } else {
@@ -268,6 +268,11 @@ function startServer() {
         }
     });
 
+    // not specified correctly the room id
+    app.get('/join/*', (req, res) => {
+        res.redirect('/');
+    });
+
     // if not allow video/audio
     app.get(['/permission'], (req, res) => {
         res.sendFile(views.permission);
@@ -872,7 +877,8 @@ function startServer() {
         socket.on('message', (dataObject) => {
             if (!roomList.has(socket.room_id)) return;
 
-            const data = checkXSS(dataObject);
+            // const data = checkXSS(dataObject);
+            const data = dataObject;
 
             log.debug('message', data);
             if (data.to_peer_id == 'all') {

public/js/Room.js

@@ -204,7 +204,7 @@ function setTippy(elem, content, placement, allowHTML = false) {
 
 function getRoomId() {
     let qs = new URLSearchParams(window.location.search);
-    let queryRoomId = qs.get('room');
+    let queryRoomId = filterXSS(qs.get('room'));
     let roomId = queryRoomId ? queryRoomId : location.pathname.substring(6);
     if (roomId == '') {
         roomId = makeId(12);
@@ -364,7 +364,7 @@ function addChild(device, els) {
 
 function getScreen() {
     let qs = new URLSearchParams(window.location.search);
-    let screen = qs.get('screen');
+    let screen = filterXSS(qs.get('screen'));
     if (screen) {
         screen = screen.toLowerCase();
         let queryScreen = screen === '1' || screen === 'true';
@@ -376,7 +376,7 @@ function getScreen() {
 
 function getNotify() {
     let qs = new URLSearchParams(window.location.search);
-    let notify = qs.get('notify');
+    let notify = filterXSS(qs.get('notify'));
     if (notify) {
         notify = notify.toLowerCase();
         let queryNotify = notify === '1' || notify === 'true';
@@ -386,13 +386,17 @@ function getNotify() {
 }
 
 function getPeerName() {
-    let qs = new URLSearchParams(window.location.search);
+    const qs = new URLSearchParams(window.location.search);
-    return qs.get('name');
+    const name = filterXSS(qs.get('name'));
+    if (isHtml(name)) {
+        return 'Invalid name';
+    }
+    return name;
 }
 
 function getRoomPassword() {
     let qs = new URLSearchParams(window.location.search);
-    let roomPassword = qs.get('password');
+    let roomPassword = filterXSS(qs.get('password'));
     if (roomPassword) {
         let queryNoRoomPassword = roomPassword === '0' || roomPassword === 'false';
         if (queryNoRoomPassword) {
@@ -482,6 +486,8 @@ function whoAreYou() {
         },
         inputValidator: (name) => {
             if (!name) return 'Please enter your name';
+            name = filterXSS(name);
+            if (isHtml(name)) return 'Invalid name!';
             if (!getCookie(room_id + '_name')) {
                 window.localStorage.peer_name = name;
             }
@@ -556,8 +562,8 @@ function checkInitAudio(isAudioAllowed) {
 
 function checkMedia() {
     let qs = new URLSearchParams(window.location.search);
-    let audio = qs.get('audio');
+    let audio = filterXSS(qs.get('audio'));
-    let video = qs.get('video');
+    let video = filterXSS(qs.get('video'));
     if (audio) {
         audio = audio.toLowerCase();
         let queryPeerAudio = audio === '1' || audio === 'true';
@@ -1564,6 +1570,15 @@ function getCookie(cName) {
     return res;
 }
 
+function isHtml(str) {
+    var a = document.createElement('div');
+    a.innerHTML = str;
+    for (var c = a.childNodes, i = c.length; i--; ) {
+        if (c[i].nodeType == 1) return true;
+    }
+    return false;
+}
+
 // ####################################################
 // HANDLE WHITEBOARD
 // ####################################################

public/js/RoomClient.js

@@ -2357,6 +2357,7 @@ class RoomClient {
         if (!peer_msg) {
             return this.cleanMessage();
         }
+        this.peer_name = filterXSS(this.peer_name);
         let data = {
             peer_name: this.peer_name,
             peer_id: this.peer_id,
@@ -2396,11 +2397,13 @@ class RoomClient {
                 if (!peer_msg) {
                     return this.cleanMessage();
                 }
+                this.peer_name = filterXSS(this.peer_name);
+                const toPeerName = filterXSS(to_peer_name);
                 let data = {
                     peer_name: this.peer_name,
                     peer_id: this.peer_id,
                     to_peer_id: to_peer_id,
-                    to_peer_name: to_peer_name,
+                    to_peer_name: toPeerName,
                     peer_msg: peer_msg,
                 };
                 console.log('Send message:', data);
@@ -2413,7 +2416,7 @@ class RoomClient {
                     this.peer_id,
                     peer_msg,
                     to_peer_id,
-                    to_peer_name,
+                    toPeerName,
                 );
                 if (!this.isChatOpen) this.toggleChat();
             }

public/views/Room.html

@@ -73,6 +73,7 @@
 
         <script defer src="/socket.io/socket.io.js"></script>
         <script defer src="../sfu/MediasoupClient.js"></script>
+        <script defer src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
         <script defer src="../js/LocalStorage.js"></script>
         <script defer src="../js/Rules.js"></script>
         <script defer src="../js/Room.js"></script>