Merge branch 'develop'

* develop:
  Updated travis for lastest distro and chromedriver. Update darkwire to v1.5.8
  Adds rel=noreferrer and rel=noopener to autolinks (Fixes #46)
  Fixes XSS attack through user renaming (#47)
  Dockerfile strictly requiring njs 6.7

.travis.yml

@@ -18,7 +18,7 @@ before_install:
   - sudo apt-get install -y libappindicator1 fonts-liberation
   - wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
   - sudo dpkg -i google-chrome*.deb
-  - wget http://chromedriver.storage.googleapis.com/2.21/chromedriver_linux64.zip
+  - wget http://chromedriver.storage.googleapis.com/2.24/chromedriver_linux64.zip
   - unzip chromedriver_linux64
   - sudo mv chromedriver /usr/bin  
 before_script:

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:6
+FROM node:6.7
 
 RUN npm install -g forever
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "darkwire",
-  "version": "1.5.7",
+  "version": "1.5.8",
   "description": "Encrypted web socket chat",
   "main": "index.js",
   "dependencies": {

src/js/app.js

@@ -211,9 +211,19 @@ export default class App {
   // Prevents input from having injected markup
   cleanInput(input) {
     input = input.replace(/\r?\n/g, '<br />');
-    let sanitized = he.encode(input);
-    sanitized = Autolinker.link(sanitized);
-    return sanitized;
+    return this.autolinker(he.encode(input));
+  }
+
+  // Adds rel=noopener noreferrer to autolinked links (Addresses #46 from @Mickael-van-der-Beek)
+  autolinker(sanitized) {
+    return Autolinker.link(sanitized, {
+      replaceFn: function(match) {
+        const tag = match.buildTag();
+        tag.setAttr('rel', 'noopener noreferrer');
+
+        return tag;
+      }
+    });
   }
 
   // Sets the client's username

src/public/style.css

@@ -358,3 +358,9 @@ html.no-touchevents .chat #input-icons {
   font-style: italic;
   display: block;
 }
+
+.external-link:after {
+  content: 'External Link';
+  color: #FFF;
+  background-color: red;
+}

src/room.js

@@ -12,6 +12,7 @@ class Room {
     EventEmitter.call(this);
 
     const thisIO = io.of(this._id);
+
     thisIO.on('connection', (socket) => {
       let addedUser = false;
 
@@ -34,10 +35,13 @@ class Room {
         if (addedUser) { return; }
 
         data.id = uuid.v4();
+
         this.users.push(data);
 
+        const username = this.sanitizeUsername(data.username);
+
         // we store the username in the socket session for this client
-        socket.username = data.username;
+        socket.username = username;
         socket.user = data;
         ++this.numUsers;
         addedUser = true;
@@ -87,16 +91,18 @@ class Room {
 
       // Update user
       socket.on('update user', (data) => {
-        if (data.newUsername.length > 16) {
+        const newUsername = this.sanitizeUsername(data.newUsername);
+
+        if (newUsername.length > 16) {
           return false;
         }
-        let user = _.find(this.users, (users) => {
+
+        const user = _.find(this.users, (users) => {
           return users === socket.user;
         });
 
         if (user) {
-          user.username = data.newUsername;
-          socket.username = user.username;
+          socket.username = user.username = newUsername;
           socket.user = user;
 
           thisIO.emit('user update', {
@@ -110,6 +116,10 @@ class Room {
     });
   }
 
+  sanitizeUsername(str) {
+    return str.replace(/[^A-Za-z0-9]/g, '-');
+  }
+
   roomId() {
     return this.id;
   }

test/unit/app.js

@@ -38,10 +38,11 @@ describe('App', () => {
       app = new App();
     });
 
-    it('should create HTML links from URLs', () => {
+    it('should create HTML links from URLs with "rel=noopener noreferrer"', () => {
       let input = app.cleanInput('cnn.com');
-      assert.equal(input, '<a href="http://cnn.com" target="_blank">cnn.com</a>');
+      assert.equal(input, '<a href="http://cnn.com" target="_blank" rel="noopener noreferrer">cnn.com</a>');
     });
+
   });
 
 });