From 214adf62b5a904a1e685cd81693d34c5853f559c Mon Sep 17 00:00:00 2001 From: Ole Henrik Stabell Date: Sat, 14 Oct 2017 15:18:43 +0200 Subject: [PATCH] Added proper escaping to chat messages. Fixes #13 --- index.js | 14 ++++++++------ package-lock.json | 15 +++++++++++++++ package.json | 2 ++ views/mainview.html | 4 ++-- 4 files changed, 27 insertions(+), 8 deletions(-) diff --git a/index.js b/index.js index 3e4bb59..d06ba1a 100644 --- a/index.js +++ b/index.js @@ -11,6 +11,8 @@ var fb = require('facebook-live-chat'); var tw = require('twitch-webchat'); var jade = require('jade'); var EventEmitter = require('event-chains'); +var jsesc = require('jsesc'); +var unescapeJs = require('unescape-js'); //try { // var ipwhitelist = require(__dirname + "/ip-whitelist.json"); @@ -41,7 +43,7 @@ function onTWStartSignal() { var user = message.from var text = message.text // chat message content as text string - io.emit('chat message', 'tw-' + Math.floor((Math.random() * 100000000) + 1), 'https://static-cdn.jtvnw.net/jtv_user_pictures/xarth/404_user_70x70.png', user, text); + io.emit('chat message', 'tw-' + Math.floor((Math.random() * 100000000) + 1), 'https://static-cdn.jtvnw.net/jtv_user_pictures/xarth/404_user_70x70.png', jsesc(user), jsesc(text), user, text); break case 'tick': case 'debug': @@ -77,7 +79,7 @@ function onFBStartSignal() { }) // Emit every new facebook chat message to Socket.io. fbClient.on('chat', json => { - io.emit('chat message', json.id, 'https://graph.facebook.com/v2.10/' + json.from.id + '/picture?type=large&redirect=true&access_token=' + authDetails.user_access_token, json.from.name, json.message); + io.emit('chat message', json.id, 'https://graph.facebook.com/v2.10/' + json.from.id + '/picture?type=large&redirect=true&access_token=' + authDetails.user_access_token, jsesc(json.from.name), jsesc(json.message), json.from.name, json.message); }); } @@ -107,7 +109,7 @@ function onYTStartSignal() { // Emit every new YT chat message to Socket.io. ytClient.on('chat', json => { - io.emit('chat message', json.id, json.authorDetails.profileImageUrl, json.authorDetails.displayName, json.snippet.displayMessage); + io.emit('chat message', json.id, json.authorDetails.profileImageUrl, jsesc(json.authorDetails.displayName), jsesc(json.snippet.displayMessage), json.authorDetails.displayName, json.snippet.displayMessage); }); } @@ -215,15 +217,15 @@ app.get('/stoptw', function (req, res) { io.on('connection', function (socket) { socket.on('chat message', function (id, img, name, msg) { - io.emit('chat message', id, img, name, msg); + io.emit('chat message', id, img, unescapeJs(name), unescapeJs(msg)); }); socket.on('chat question', function (id, img, name, msg) { - io.emit('chat question', id, img, name, msg); + io.emit('chat question', id, img, unescapeJs(name), unescapeJs(msg)); }); socket.on('lower third', function (id, img, name, msg) { - io.emit('lower third', id, img, name, msg); + io.emit('lower third', id, img, unescapeJs(name), unescapeJs(msg)); }); }); diff --git a/package-lock.json b/package-lock.json index 08c65b4..d6f6a01 100644 --- a/package-lock.json +++ b/package-lock.json @@ -677,6 +677,11 @@ "integrity": "sha1-peZUwuWi3rXyAdls77yoDA7y9RM=", "optional": true }, + "jsesc": { + "version": "2.5.1", + "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-2.5.1.tgz", + "integrity": "sha1-5CGiqOINawgZ3yiQj3glJrlt0f4=" + }, "json-schema": { "version": "0.2.3", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz", @@ -1212,6 +1217,11 @@ } } }, + "string.fromcodepoint": { + "version": "0.2.1", + "resolved": "https://registry.npmjs.org/string.fromcodepoint/-/string.fromcodepoint-0.2.1.tgz", + "integrity": "sha1-jZeDM8C8klOPUPOD5IiPPlYZ1lM=" + }, "stringstream": { "version": "0.0.5", "resolved": "https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz", @@ -1320,6 +1330,11 @@ "resolved": "https://registry.npmjs.org/ultron/-/ultron-1.1.0.tgz", "integrity": "sha1-sHoualQagV/Go0zNRTO67DB8qGQ=" }, + "unescape-js": { + "version": "1.0.8", + "resolved": "https://registry.npmjs.org/unescape-js/-/unescape-js-1.0.8.tgz", + "integrity": "sha1-iJz0aZyT7UMMo9SGs2hfQ1wclYM=" + }, "unpipe": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", diff --git a/package.json b/package.json index cb07440..117fe4f 100644 --- a/package.json +++ b/package.json @@ -19,10 +19,12 @@ "express-ipfilter": "^0.3.1", "facebook-live-chat": "^1.0.1", "jade": "^1.11.0", + "jsesc": "^2.5.1", "serve-favicon": "^2.4.5", "socket.io": "^2.0.3", "socket.io-redis": "^5.2.0", "twitch-webchat": "^2.0.14", + "unescape-js": "^1.0.8", "youtube-live-chat": "git+https://github.com/Hennamann/youtube-live-chat.git" }, "repository": { diff --git a/views/mainview.html b/views/mainview.html index d24035f..1ed92ee 100644 --- a/views/mainview.html +++ b/views/mainview.html @@ -25,13 +25,13 @@ $(function () { var socket = io(); - socket.on('chat message', function (id, img, name, msg) { + socket.on('chat message', function (id, img, escName, escMsg, name, msg) { $('#messages').append($('
').attr('id', id).attr('class', 'msg-content') .append($('').attr('src', img).attr('id', 'avatar'), $('').attr('id', 'inner-msg').append($('

').text(name).attr('id', 'name'), $('

').text(msg).attr('id', 'message'), $('').append('').text('Mark as Question ').attr( 'id', 'question-btn').attr('onclick', 'markQuestion(\'' + id + '\', \'' + img + - '\', \'' + name + '\', \'' + msg + '\')'), $('').append($('').text( + '\', \'' + escName + '\', \'' + escMsg + '\')'), $('').append($('').text( ' Generate Lower Third').attr('id', 'lowerthird-btn').attr('onclick', 'genLowerThird(\'' + id + '\', \'' + img + '\', \'' + name + '\', \'' + msg + '\')')))));