Added proper escaping to chat messages. Fixes #13

Hennamann · Oct 14, 2017 · 214adf6 · 214adf6
1 parent eeee116
commit 214adf6
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 8 deletions.
diff --git a/index.js b/index.js
@@ -11,6 +11,8 @@ var fb = require('facebook-live-chat');
 var tw = require('twitch-webchat');
 var jade = require('jade');
 var EventEmitter = require('event-chains');
+var jsesc = require('jsesc');
+var unescapeJs = require('unescape-js');
 
 //try {
 //    var ipwhitelist = require(__dirname + "/ip-whitelist.json");
@@ -41,7 +43,7 @@ function onTWStartSignal() {
                 var user = message.from
                 var text = message.text // chat message content as text string 
 
-                io.emit('chat message', 'tw-' + Math.floor((Math.random() * 100000000) + 1), 'https://static-cdn.jtvnw.net/jtv_user_pictures/xarth/404_user_70x70.png', user, text);
+                io.emit('chat message', 'tw-' + Math.floor((Math.random() * 100000000) + 1), 'https://static-cdn.jtvnw.net/jtv_user_pictures/xarth/404_user_70x70.png', jsesc(user), jsesc(text), user, text);
                 break
             case 'tick':
             case 'debug':
@@ -77,7 +79,7 @@ function onFBStartSignal() {
     })
     // Emit every new facebook chat message to Socket.io.
     fbClient.on('chat', json => {
-        io.emit('chat message', json.id, 'https://graph.facebook.com/v2.10/' + json.from.id + '/picture?type=large&redirect=true&access_token=' + authDetails.user_access_token, json.from.name, json.message);
+        io.emit('chat message', json.id, 'https://graph.facebook.com/v2.10/' + json.from.id + '/picture?type=large&redirect=true&access_token=' + authDetails.user_access_token, jsesc(json.from.name), jsesc(json.message), json.from.name, json.message);
     });
 
 }
@@ -107,7 +109,7 @@ function onYTStartSignal() {
 
     // Emit every new YT chat message to Socket.io.
     ytClient.on('chat', json => {
-        io.emit('chat message', json.id, json.authorDetails.profileImageUrl, json.authorDetails.displayName, json.snippet.displayMessage);
+        io.emit('chat message', json.id, json.authorDetails.profileImageUrl, jsesc(json.authorDetails.displayName), jsesc(json.snippet.displayMessage), json.authorDetails.displayName, json.snippet.displayMessage);
     });
 }
 
@@ -215,15 +217,15 @@ app.get('/stoptw', function (req, res) {
 io.on('connection', function (socket) {
 
     socket.on('chat message', function (id, img, name, msg) {
-        io.emit('chat message', id, img, name, msg);
+        io.emit('chat message', id, img, unescapeJs(name), unescapeJs(msg));
     });
 
     socket.on('chat question', function (id, img, name, msg) {
-        io.emit('chat question', id, img, name, msg);
+        io.emit('chat question', id, img, unescapeJs(name), unescapeJs(msg));
     });
 
     socket.on('lower third', function (id, img, name, msg) {
-        io.emit('lower third', id, img, name, msg);
+        io.emit('lower third', id, img, unescapeJs(name), unescapeJs(msg));
     });
 
 });

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -19,10 +19,12 @@
     "express-ipfilter": "^0.3.1",
     "facebook-live-chat": "^1.0.1",
     "jade": "^1.11.0",
+    "jsesc": "^2.5.1",
     "serve-favicon": "^2.4.5",
     "socket.io": "^2.0.3",
     "socket.io-redis": "^5.2.0",
     "twitch-webchat": "^2.0.14",
+    "unescape-js": "^1.0.8",
     "youtube-live-chat": "git+https://github.com/Hennamann/youtube-live-chat.git"
   },
   "repository": {

diff --git a/views/mainview.html b/views/mainview.html
@@ -25,13 +25,13 @@
     $(function () {
         var socket = io();
 
-        socket.on('chat message', function (id, img, name, msg) {
+        socket.on('chat message', function (id, img, escName, escMsg, name, msg) {
             $('#messages').append($('<div>').attr('id', id).attr('class', 'msg-content')
                 .append($('<img>').attr('src', img).attr('id', 'avatar'), $('<span>').attr('id',
                     'inner-msg').append($('<p>').text(name).attr('id', 'name'),
                     $('<p>').text(msg).attr('id', 'message'), $('<b>').append('<a>').text('Mark as Question ').attr(
                         'id', 'question-btn').attr('onclick', 'markQuestion(\'' + id + '\', \'' + img +
-                        '\', \'' + name + '\', \'' + msg + '\')'), $('<b>').append($('<a>').text(
+                        '\', \'' + escName + '\', \'' + escMsg + '\')'), $('<b>').append($('<a>').text(
                         ' Generate Lower Third').attr('id', 'lowerthird-btn').attr('onclick',
                         'genLowerThird(\'' + id + '\', \'' + img +
                         '\', \'' + name + '\', \'' + msg + '\')')))));