From 282f43e8f1e2d4ba73cc3fa9bc4060a0d81a56ec Mon Sep 17 00:00:00 2001
From: Dan Seripap <daniel@seripap.com>
Date: Mon, 28 Nov 2016 12:18:23 -0500
Subject: [PATCH] Fixes XSS attack through user renaming (#47)

---
 src/room.js | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/src/room.js b/src/room.js
index 0547092..8f9d264 100644
--- a/src/room.js
+++ b/src/room.js
@@ -12,6 +12,7 @@ class Room {
     EventEmitter.call(this);
 
     const thisIO = io.of(this._id);
+
     thisIO.on('connection', (socket) => {
       let addedUser = false;
 
@@ -34,10 +35,13 @@ class Room {
         if (addedUser) { return; }
 
         data.id = uuid.v4();
+        
         this.users.push(data);
 
+        const username = this.sanitizeUsername(data.username);
+
         // we store the username in the socket session for this client
-        socket.username = data.username;
+        socket.username = username;
         socket.user = data;
         ++this.numUsers;
         addedUser = true;
@@ -87,16 +91,18 @@ class Room {
 
       // Update user
       socket.on('update user', (data) => {
-        if (data.newUsername.length > 16) {
+        const newUsername = this.sanitizeUsername(data.newUsername);
+
+        if (newUsername.length > 16) {
           return false;
         }
-        let user = _.find(this.users, (users) => {
+
+        const user = _.find(this.users, (users) => {
           return users === socket.user;
         });
 
         if (user) {
-          user.username = data.newUsername;
-          socket.username = user.username;
+          socket.username = user.username = newUsername;
           socket.user = user;
 
           thisIO.emit('user update', {
@@ -110,6 +116,10 @@ class Room {
     });
   }
 
+  sanitizeUsername(str) {
+    return str.replace(/[^A-Za-z0-9]/g, '-');
+  }
+
   roomId() {
     return this.id;
   }