Strip HTML tags from name and fullName API params.

bbb-common-web/src/main/java/org/bigbluebutton/api/ParamsProcessorUtil.java

@@ -322,7 +322,7 @@ public class ParamsProcessorUtil {
             meetingName = "";
         }
 
-        meetingName = ParamsUtil.stripControlChars(meetingName);
+        meetingName = ParamsUtil.stripHTMLTags(ParamsUtil.stripControlChars(meetingName));
 
         String externalMeetingId = params.get(ApiParams.MEETING_ID);
 

bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java

@@ -19,6 +19,10 @@ public class ParamsUtil {
   public static String stripControlChars(String text) {
     return text.replaceAll("\\p{Cc}", "");
   }
+  
+  public static String stripHTMLTags(String value) {
+    return value.replaceAll("\\<.*?>","");
+  }
 
   public static boolean isValidMeetingId(String meetingId) {
     //return  VALID_ID_PATTERN.matcher(meetingId).matches();

bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy

@@ -30,6 +30,7 @@ import org.bigbluebutton.api.domain.Config
 import org.bigbluebutton.api.domain.GuestPolicy
 import org.bigbluebutton.api.domain.Meeting
 import org.bigbluebutton.api.domain.UserSession
+import org.bigbluebutton.api.util.ParamsUtil
 import org.bigbluebutton.api.util.ResponseBuilder
 import org.bigbluebutton.presentation.PresentationUrlDownloadService
 import org.bigbluebutton.presentation.UploadedPresentation
@@ -250,7 +251,7 @@ class ApiController {
     } else {
       errors.missingParamError("fullName");
     }
-    String fullName = params.fullName
+    String fullName = ParamsUtil.stripHTMLTags(params.fullName)
 
     // Do we have a meeting id? If none, complain.
     if (!StringUtils.isEmpty(params.meetingID)) {