diff --git a/integration_test/channel/kickban.js b/integration_test/channel/kickban.js
index f153bb93..d992bf61 100644
--- a/integration_test/channel/kickban.js
+++ b/integration_test/channel/kickban.js
@@ -110,6 +110,25 @@ describe('KickbanModule', () => {
);
});
+ it('rejects if the username is invalid', done => {
+ mockUser.socket.emit = (frame, obj) => {
+ if (frame === 'errorMsg') {
+ assert.strictEqual(
+ obj.msg,
+ 'Invalid username'
+ );
+
+ done();
+ }
+ };
+
+ kickban.handleCmdBan(
+ mockUser,
+ '/ban test_user<>%$# because reasons',
+ {}
+ );
+ });
+
it('rejects if the user does not have ban permission', done => {
mockUser.socket.emit = (frame, obj) => {
if (frame === 'errorMsg') {
diff --git a/package.json b/package.json
index 0ba85f5c..3abee162 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
"author": "Calvin Montgomery",
"name": "CyTube",
"description": "Online media synchronizer and chat",
- "version": "3.84.0",
+ "version": "3.85.0",
"repository": {
"url": "http://github.com/calzoneman/sync"
},
diff --git a/player/custom-embed.coffee b/player/custom-embed.coffee
index f03fcf44..516b284f 100644
--- a/player/custom-embed.coffee
+++ b/player/custom-embed.coffee
@@ -15,8 +15,19 @@ window.CustomEmbedPlayer = class CustomEmbedPlayer extends EmbedPlayer
return
embedSrc = data.meta.embed.src
- link = "#{embedSrc}"
- alert = makeAlert('Untrusted Content', CUSTOM_EMBED_WARNING.replace('%link%', link),
+
+ link = document.createElement('a')
+ link.href = embedSrc
+ link.target = '_blank'
+ link.rel = 'noopener noreferer'
+
+ strong = document.createElement('strong')
+ strong.textContent = embedSrc
+ link.appendChild(strong)
+
+ # TODO: Ideally makeAlert() would allow optionally providing a DOM
+ # element instead of requiring HTML text
+ alert = makeAlert('Untrusted Content', CUSTOM_EMBED_WARNING.replace('%link%', link.outerHTML),
'alert-warning')
.removeClass('col-md-12')
$('').addClass('btn btn-default')
diff --git a/src/channel/kickban.js b/src/channel/kickban.js
index e5001d5f..c49d48e4 100644
--- a/src/channel/kickban.js
+++ b/src/channel/kickban.js
@@ -4,6 +4,7 @@ var Flags = require("../flags");
var util = require("../utilities");
var Account = require("../account");
import Promise from 'bluebird';
+const XSS = require("../xss");
const dbIsNameBanned = Promise.promisify(db.channels.isNameBanned);
const dbIsIPBanned = Promise.promisify(db.channels.isIPBanned);
@@ -261,7 +262,6 @@ KickBanModule.prototype.handleCmdIPBan = function (user, msg, _meta) {
chan.refCounter.ref("KickBanModule::handleCmdIPBan");
this.banAll(user, name, range, reason).catch(error => {
- //console.log('!!!', error.stack);
const message = error.message || error;
user.socket.emit("errorMsg", { msg: message });
}).then(() => {
@@ -276,6 +276,10 @@ KickBanModule.prototype.checkChannelAlive = function checkChannelAlive() {
};
KickBanModule.prototype.banName = async function banName(actor, name, reason) {
+ if (!util.isValidUserName(name)) {
+ throw new Error("Invalid username");
+ }
+
reason = reason.substring(0, 255);
var chan = this.channel;
@@ -323,6 +327,9 @@ KickBanModule.prototype.banName = async function banName(actor, name, reason) {
};
KickBanModule.prototype.banIP = async function banIP(actor, ip, name, reason) {
+ if (!util.isValidUserName(name)) {
+ throw new Error("Invalid username");
+ }
reason = reason.substring(0, 255);
var masked = util.cloakIP(ip);
@@ -445,8 +452,9 @@ KickBanModule.prototype.handleUnban = function (user, data) {
self.channel.logger.log("[mod] " + user.getName() + " unbanned " + data.name);
if (self.channel.modules.chat) {
var banperm = self.channel.modules.permissions.permissions.ban;
+ // TODO: quick fix, shouldn't trust name from unban frame.
self.channel.modules.chat.sendModMessage(
- user.getName() + " unbanned " + data.name,
+ user.getName() + " unbanned " + XSS.sanitizeText(data.name),
banperm
);
}