From e1cd6fbb60e5064435eb67e0611619ae3a2e0846 Mon Sep 17 00:00:00 2001
From: rofl256 <rofl256@gmail.com>
Date: Thu, 8 Feb 2018 23:43:14 +0100
Subject: [PATCH] prevent cross site scripting

---
 server.js | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/server.js b/server.js
index 66e1048..217b791 100644
--- a/server.js
+++ b/server.js
@@ -76,7 +76,26 @@ io.on('connection', function(socket){
     });
 
     socket.on('drawToWhiteboard', function(content) {
+        content = escapeAllContentStrings(content);
         socket.broadcast.emit('drawToWhiteboard', content);
         s_whiteboard.handleEventsAndData(content); //save whiteboardchanges on the server
     });
-});
\ No newline at end of file
+});
+
+//Prevent cross site scripting
+function escapeAllContentStrings(content, cnt) {
+    if(!cnt)
+        cnt = 0;
+
+    if(typeof(content)=="string") {
+        return content.replace(/<\/?[^>]+(>|$)/g, "");
+    }
+    for(var i in content) {
+        if(typeof(content[i])=="string") {
+            content[i] = content[i].replace(/<\/?[^>]+(>|$)/g, "");
+        } if(typeof(content[i])=="object" && cnt < 10) {
+            content[i] = escapeAllContentStrings(content[i], ++cnt);
+        }
+    }
+    return content;
+}
\ No newline at end of file