BigBlueButton/bigbluebutton-Github
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(sec): filter tags in presentation name

Browse Source
This commit is contained in:
Anton Georgiev 2024-01-10 14:15:56 -05:00
parent 45585215cc
commit f50e10b5ea
3 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
bbb-common-web/src/main/java/org/bigbluebutton/api/util/ParamsUtil.java
View File

@ -21,6 +21,10 @@ public class ParamsUtil {
return text.replaceAll("\\p{Cc}", "").trim();
}
public static String stripTags(String text) {
return text.replaceAll("<[^>]*>", "");
}
public static String escapeHTMLTags(String value) {
return StringEscapeUtils.escapeHtml4(value);
}

3
bigbluebutton-html5/imports/ui/components/chat/service.js
View File

@ -345,13 +345,14 @@ const removePackagedClassAttribute = (classnames, attribute) => {
};
const getExportedPresentationString = (fileURI, filename, intl, fileStateType) => {
const sanitizedFilename = stripTags(filename);
const intlFileStateType = fileStateType === 'Original' ? intlMessages.original : intlMessages.withWhiteboardAnnotations;
const href = `${APP.bbbWebBase}/${fileURI}`;
const warningIcon = '<i class="icon-bbb-warning"></i>';
const label = `<span>${intl.formatMessage(intlMessages.download)}</span>`;
const notAccessibleWarning = `<span title="${intl.formatMessage(intlMessages.notAccessibleWarning)}">${warningIcon}</span>`;
const link = `<a aria-label="${intl.formatMessage(intlMessages.notAccessibleWarning)}" href=${href} type="application/pdf" target="_blank" rel="noopener, noreferrer" download>${label}&nbsp;${notAccessibleWarning}</a>`;
const name = `<span>${filename} (${intl.formatMessage(intlFileStateType)})</span>`;
const name = `<span>${sanitizedFilename} (${intl.formatMessage(intlFileStateType)})</span>`;
return `${name}</br>${link}`;
};

2
bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/PresentationController.groovy
View File

@ -30,6 +30,7 @@ import org.apache.commons.io.FilenameUtils;
import org.bigbluebutton.web.services.PresentationService
import org.bigbluebutton.presentation.UploadedPresentation
import org.bigbluebutton.api.MeetingService;
import org.bigbluebutton.api.util.ParamsUtil;
import org.bigbluebutton.api.Util;
class PresentationController {
@ -161,6 +162,7 @@ class PresentationController {
// Gets the name minus the path from a full fileName.
// a/b/c.txt --> c.txt
presFilename = FilenameUtils.getName(presOrigFilename)
presFilename = ParamsUtil.stripTags(presFilename)
filenameExt = FilenameUtils.getExtension(presFilename)
} else {
log.warn "Upload failed. File Empty."