Strip HTML tags from name and fullName API params.

This commit is contained in:
Ghazi Triki 2020-04-03 20:00:33 +03:00
parent f3bb50b3cc
commit 78c649650e
3 changed files with 7 additions and 2 deletions

View File

@ -322,7 +322,7 @@ public class ParamsProcessorUtil {
meetingName = ""; meetingName = "";
} }
meetingName = ParamsUtil.stripControlChars(meetingName); meetingName = ParamsUtil.stripHTMLTags(ParamsUtil.stripControlChars(meetingName));
String externalMeetingId = params.get(ApiParams.MEETING_ID); String externalMeetingId = params.get(ApiParams.MEETING_ID);

View File

@ -19,6 +19,10 @@ public class ParamsUtil {
public static String stripControlChars(String text) { public static String stripControlChars(String text) {
return text.replaceAll("\\p{Cc}", ""); return text.replaceAll("\\p{Cc}", "");
} }
public static String stripHTMLTags(String value) {
return value.replaceAll("\\<.*?>","");
}
public static boolean isValidMeetingId(String meetingId) { public static boolean isValidMeetingId(String meetingId) {
//return VALID_ID_PATTERN.matcher(meetingId).matches(); //return VALID_ID_PATTERN.matcher(meetingId).matches();

View File

@ -30,6 +30,7 @@ import org.bigbluebutton.api.domain.Config
import org.bigbluebutton.api.domain.GuestPolicy import org.bigbluebutton.api.domain.GuestPolicy
import org.bigbluebutton.api.domain.Meeting import org.bigbluebutton.api.domain.Meeting
import org.bigbluebutton.api.domain.UserSession import org.bigbluebutton.api.domain.UserSession
import org.bigbluebutton.api.util.ParamsUtil
import org.bigbluebutton.api.util.ResponseBuilder import org.bigbluebutton.api.util.ResponseBuilder
import org.bigbluebutton.presentation.PresentationUrlDownloadService import org.bigbluebutton.presentation.PresentationUrlDownloadService
import org.bigbluebutton.presentation.UploadedPresentation import org.bigbluebutton.presentation.UploadedPresentation
@ -250,7 +251,7 @@ class ApiController {
} else { } else {
errors.missingParamError("fullName"); errors.missingParamError("fullName");
} }
String fullName = params.fullName String fullName = ParamsUtil.stripHTMLTags(params.fullName)
// Do we have a meeting id? If none, complain. // Do we have a meeting id? If none, complain.
if (!StringUtils.isEmpty(params.meetingID)) { if (!StringUtils.isEmpty(params.meetingID)) {