Merge branch 'master' into refactorMultitrackConferenceStructure

ant-media · Nov 22, 2023 · 19331c3 · 19331c3
2 parents 54f95f4 + 35f6de1
commit 19331c3
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 8 deletions.
diff --git a/src/main/webapp/datachannel_example.html b/src/main/webapp/datachannel_example.html
@@ -372,25 +372,22 @@ <h2 text-align:center>Chat Window</h2>
       createNewMessage(text, dateObj.toLocaleTimeString(), true);
       $("#dataTextbox").val("");
     }
-    function sanitizeHTML(text) {
-    return text.replace(/</g, "&lt;").replace(/>/g, "&gt;");
-    }
     function createNewMessage(message, date, sentByUs) {
       if ($.trim(message) == "") {
         return false;
       }
       if (sentByUs) {
         $(
           '<div class="outgoing_msg row"><div class="col"><div class="sent_msg">	<p>' +
-            sanitizeHTML(message) +
+            webRTCAdaptor.sanitizeHTML(message) +
             '</p><span class="time_date">' +
             date +
             "</span></div></div></div>"
         ).appendTo($("#all_messages"));
       } else {
         $(
           '<div class="incoming_msg row"><div class="col" ><div class="received_msg"><div class="received_withd_msg"><p>' +
-            sanitizeHTML(message)  +
+            message  +
             '</p><span class="time_date">' +
             date +
             "</span></div></div></div>"

diff --git a/src/main/webapp/js/webrtc_adaptor.js b/src/main/webapp/js/webrtc_adaptor.js
@@ -924,7 +924,12 @@ export class WebRTCAdaptor {
             Logger.debug("No event.candidate in the iceCandidate event");
         }
     }
-
+    // sanatize text if it contains script to prevent xss
+    sanitizeHTML(text) {
+        if(text.includes("script"))
+            return text.replace(/</g, "&lt;").replace(/>/g, "&gt;"); 
+        return text
+        }
     /**
      * Called internally to initiate Data Channel.
      * Note that Data Channel should be enabled fromAMS settings.
@@ -953,6 +958,7 @@ export class WebRTCAdaptor {
             var data = obj.data;
 
             if (typeof data === 'string' || data instanceof String) {
+                obj.data = this.sanitizeHTML(obj.data)
                 this.notifyEventListeners("data_received", obj);
             } else {
                 var length = data.length || data.size || data.byteLength;

diff --git a/src/main/webapp/samples/datachannel_only_webrtc_frame.html b/src/main/webapp/samples/datachannel_only_webrtc_frame.html
@@ -226,9 +226,7 @@
 					}
 					else if (info == "data_received") {
 						console.log("Data received: " + obj.data + " type: " + obj.type + " for stream: " + obj.streamId);
-						if (obj.data.eventType === undefined){
 						$("#dataMessagesTextarea").append("Received: " + obj.data + "\r\n");
-						}
 					}
 					else {
 						console.log( info + " notification received");

diff --git a/src/test/js/test/webrtc_adaptor.test.js b/src/test/js/test/webrtc_adaptor.test.js
@@ -260,6 +260,20 @@ describe("WebRTCAdaptor", function() {
 
 	});
 
+	it("sanitize HTML",async function(){
+		var adaptor = new WebRTCAdaptor({
+			websocketURL: "ws://example.com",
+			isPlayMode: true
+		});
+		var scriptMsg = "<script>alert(1)</script>"; //message with script
+		var sanitizeMsg = adaptor.sanitizeHTML(scriptMsg);
+		assert.notEqual(scriptMsg,sanitizeMsg)
+
+		var text="hi how are you"; //message without script
+		var message = adaptor.sanitizeHTML(text)
+		assert.strictEqual(text,message)
+	})
+
 	it("Reconnection for publish", async function()
 	{
 		var adaptor = new WebRTCAdaptor({