Fix potential severe XSS

src/source/frontend/dist/lib/index.js

@@ -1,12 +1,5 @@
 /** @format */
 
-// Copyright 2022 Elijah Bodden
-
-// Use of this source code is governed by an MIT-style
-// license that can be found in the LICENSE file or at
-// https://opensource.org/licenses/MIT.
-
-
 "use strict";
 
 var CONFIG = {}
@@ -89,6 +82,16 @@ var defaultConfig = {
 		moderateMapInstabilityTolerance : true,
 		arbitraryPeerRouteTimeout : 100000000,
 		routeAcceptHeuristic : async function (pkg) {
+			if (pkg.desiredPermissions==="advanced") {
+				eventStream.log("system", `Peer authentication requested by ${CONFIG.UI.renderUnfamiliarPublicAliases ? (hiddenAliasLookup[pkg.sender] ?? pkg.sender) : pkg.sender}`, "transient", ["align-center", "system-message-card-route-pending", "message-card-slim"], pkg.sender)
+				var accepted = true 
+				try {
+					await eventHandler.acquireExpectedDispatch(`authenticationAuthorized|${pkg.sender}`, CONFIG.communication.arbitraryPeerRouteTimeout)
+				} catch {
+					accepted = false
+				}
+				return accepted
+			}
 			return true
 		}
 	},
@@ -114,9 +117,30 @@ var defaultConfig = {
 			invalidSDP : 100,
 		},
 		configLoadFunction : async function() {
-			window.addEventListener("DOMContentLoaded", () => eventHandler.dispatch('DOMFunctional'), 1000)
+			window.addEventListener("DOMContentLoaded", () => eventHandler.dispatch("DOMFunctional"))
 			await eventHandler.acquireExpectedDispatch("DOMFunctional")
-			return {}
+			await fillDefaults()
+			effectiveFirstVisit = true
+			if (!JSON.parse(window.localStorage.config ?? "{}")?.["communication.publicAlias"] || !JSON.parse(window.localStorage.config ?? "{}").rememberMe) {
+				await (async () => {
+					var contentDisabler = document.createElement("iframe")
+					contentDisabler.style.position = "absolute"
+					contentDisabler.style.left = contentDisabler.style.right = contentDisabler.style.top = contentDisabler.style.bottom = "0px"
+					contentDisabler.style.width = contentDisabler.style.height = "100%"
+					contentDisabler.style.border = "0px"
+					contentDisabler.style.zIndex = 100000
+					document.querySelector("#init-blur-wrapper").style.visibility = "visible"
+					document.querySelector("#init-blur-wrapper").style.filter = "blur(3px) saturate(90%) brightness(90%)"
+					document.body.appendChild(contentDisabler)
+					const selectedHiddenAlias = await hiddenAliasPromptMenu()
+					document.querySelector("#init-blur-wrapper").replaceWith(...document.querySelector("#init-blur-wrapper").childNodes)
+					document.body.removeChild(contentDisabler)
+					exportToLS("communication.publicAlias", selectedHiddenAlias)
+				})()
+			} else {
+				document.querySelector("#init-blur-wrapper").replaceWith(...document.querySelector("#init-blur-wrapper").childNodes)
+			}
+			return JSON.parse(window.localStorage.config ?? "{}")
 		}
 	},
 	serverLink : {
@@ -129,6 +153,7 @@ var defaultConfig = {
 	}
 }
 
+var effectiveFirstVisit = false
 const livePeers = {};
 const authPeers = []
 var serverHardRestart
@@ -284,10 +309,10 @@ class eventHandlingMechanism {
 						if (!hasResolved)
 							reject(
 								`Dispatch listener promise for the identifier ${dispatchIdentifier} timed out after ${
-									timeout ?? CONFIG.constants.defaultEventHandlingMechanismTimeout
+									timeout ?? CONFIG?.constants?.defaultEventHandlingMechanismTimeout ?? 100000
 								}ms`
 							);
-					}, timeout ?? CONFIG.constants.defaultEventHandlingMechanismTimeout);
+					}, timeout ?? CONFIG?.constants?.defaultEventHandlingMechanismTimeout ?? 100000)
 				}),
 				reject: rejectGeneratedPromise,
 				resolve: resolveGeneratedPromise,
@@ -759,7 +784,7 @@ class peerConnection {
 		switch (parsed[0]) {
 			case "consumable":
 				if (!this.peerData?.hiddenAlias) return
-				this.dispatchConsumableAuth(parsed[1].raw)
+				this.dispatchConsumableAuth(escapeHTML(parsed[1].raw))
 				break;
 			case "gossip":
 				gossipTransport.consumeGossip(parsed[1]);
@@ -1490,15 +1515,14 @@ async function onPublicError(callback) {
 	eventHandler.onReceipt("fatalError", callback)
 }
 
-//#to be defined as needed:
 async function nonstandardParserDrain(type, args) {
-
+	//#to be individually defined
 }
 
 function indicateRouteAccepted(node) {
-
+	blinkStatus("success", node)
 }
 
 async function obviatePeerError(node) {
-
-}
+	blinkStatus("error", node)
+}