Merge master into dev

channel.js

@@ -26,6 +26,7 @@ var ChatCommand = require("./chatcommand.js");
 var Filter = require("./filter.js").Filter;
 var ActionLog = require("./actionlog");
 var Playlist = require("./playlist");
+var sanitize = require("validator").sanitize;
 
 var Channel = function(name) {
     Logger.syslog.log("Opening channel " + name);
@@ -1574,6 +1575,7 @@ Channel.prototype.tryUpdateFilter = function(user, f) {
 
     var re = f.source;
     var flags = f.flags;
+    f.replace = sanitize(f.replace).xss();
     try {
         new RegExp(re, flags);
     }
@@ -1676,6 +1678,7 @@ Channel.prototype.trySetJS = function(user, data) {
 
 Channel.prototype.updateMotd = function(motd) {
     var html = motd.replace(/\n/g, "<br>");
+    html = sanitize(html).xss();
     //html = this.filterMessage(html);
     this.motd = {
         motd: motd,
@@ -1762,8 +1765,7 @@ Channel.prototype.filterMessage = function(msg) {
 
 Channel.prototype.sendMessage = function(username, msg, msgclass, data) {
     // I don't want HTML from strangers
-    msg = msg.replace(/&/g, "&amp;");
+    msg = sanitize(msg).escape();
-    msg = msg.replace(/</g, "&lt;").replace(/>/g, "&gt;");
     msg = this.filterMessage(msg);
     var msgobj = {
         username: username,

package.json

@@ -12,6 +12,7 @@
         "mysql-libmysqlclient": "*",
         "node_hash": "*",
         "bcrypt": "*",
-        "nodemailer": "*"
+        "nodemailer": "*",
+        "validator": "*"
     }
 }

www/assets/js/callbacks.js

@@ -106,8 +106,9 @@ Callbacks = {
 
     setMotd: function(data) {
         CHANNEL.motd = data.html;
+        CHANNEL.motd_text = data.motd;
         $("#motd").html(data.html);
-        $("#motdtext").val(CHANNEL.motd);
+        $("#motdtext").val(CHANNEL.motd_text);
         if(data.motd != "")
             $("#motd").show();
         else

www/assets/js/data.js

@@ -29,6 +29,7 @@ var CHANNEL = {
     css: "",
     js: "",
     motd: "",
+    motd_text: "",
     name: false
 };
 

www/assets/js/util.js

@@ -788,7 +788,7 @@ function handleModPermissions() {
     $("#opt_voteskip_ratio").val(CHANNEL.opts.voteskip_ratio);
     $("#csstext").val(CHANNEL.css);
     $("#jstext").val(CHANNEL.js);
-    $("#motdtext").val(CHANNEL.motd);
+    $("#motdtext").val(CHANNEL.motd_text);
     setVisible("#permedit_tab", CLIENT.rank >= 3);
     setVisible("#banlist_tab", hasPermission("ban"));
     setVisible("#motdedit_tab", hasPermission("motdedit"));