Escaping HTML in messages, verifying nicknames.

2023-11-20 16:25:48 -05:00 · 2023-11-20 16:25:48 -05:00 · 673aa186f1
parent 632c5e4437
commit 673aa186f1
2 changed files with 16 additions and 9 deletions
--- a/htdocs/lib/UI.js
+++ b/htdocs/lib/UI.js
@ -258,8 +258,10 @@ UI.recvChatMessage = function(nickname, text, color = 'white') {
    toggle_panel('openwebrx-panel-log', true);

    divlog(
-        '[<span class="nickname" style="color:' + color + ';">' + nickname
-      + '</span>]:&nbsp;' + '<span class="chatmessage">' + text + '</span>'
+        '[<span class="nickname" style="color:' + color + ';">'
+      + Utils.htmlEscape(nickname) + '</span>]:&nbsp;'
+      + '<span class="chatmessage">' + Utils.htmlEscape(text)
+      + '</span>'
    );
 };

--- a/owrx/client.py
+++ b/owrx/client.py
@ -2,6 +2,7 @@ from owrx.config import Config
 from owrx.color import ColorCache
 from datetime import datetime, timedelta
 import threading
+import re

 import logging

@ -31,7 +32,7 @@ class ClientRegistry(object):
        self.clients = []
        self.bans = {}
        self.chat = {}
-        self.chatCount = 0
+        self.chatCount = 1
        self.chatColors = ColorCache()
        Config.get().wireProperty("max_clients", self._checkClientCount)
        super().__init__()
@ -69,23 +70,27 @@ class ClientRegistry(object):

    # Broadcast chat message to all connected clients.
    def broadcastChatMessage(self, client, text: str, name: str = None):
-        # Names have to be 3+ characters
-        if name is not None and len(name) < 1:
-            name = None
+        # Names can only include alphanumerics
+        if name is not None:
+            name = re.sub("\W+", "", name)
+        # If we have seen this client chatting before...
        if client in self.chat:
+            # Rename existing client as needed, keep color
            curname = self.chat[client]["name"]
            color   = self.chat[client]["color"]
-            if name is None or name == curname:
+            if not name or name == curname:
                name = curname
            else:
                self.chatColors.rename(curname, name)
                self.chat[client]["name"] = name
        else:
-            name  = "User%d" % (self.chatCount + 1) if name is None else name
+            # Create name and color for a new client
+            name  = "User%d" % self.chatCount if not name else name
            color = self.chatColors.getColor(name)
            self.chat[client] = { "name": name, "color": color }
-            self.chatCount = (self.chatCount + 1) % 9999
+            self.chatCount = self.chatCount + 1

+        # Broadcast message to all clients
        for c in self.clients:
            c.write_chat_message(name, text, color)