[bbb-greenlight: 4/18] Fix Cross-Site-Scripting Vulnerability (#2034)

[Bartłomiej Piotrowski <bpiotrowski src gnome org>]

commit 503ca5280602d0fcd724bdf457286499d8c6d59c
Author: Lars Kiesow <lkiesow uos de>
Date:   Mon Aug 24 20:32:14 2020 +0200

    Fix Cross-Site-Scripting Vulnerability (#2034)
    
    This patch fixes a cross-site-scripting vulnerability in Greenlight
    which allowed users to inject code into Greenlight by adding scripts
    into their names.
    
    Co-authored-by: Ahmad Farhat <ahmad af farhat gmail com>

 app/assets/javascripts/room.js | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)
---
diff --git a/app/assets/javascripts/room.js b/app/assets/javascripts/room.js
index fd346c1..42f9157 100644
--- a/app/assets/javascripts/room.js
+++ b/app/assets/javascripts/room.js
@@ -122,11 +122,20 @@ $(document).on('turbolinks:load', function(){
         listItem.setAttribute('class', 'list-group-item text-left not-saved add-access');
         listItem.setAttribute("data-uid", uid)
 
-        let spanItem = "<span class='avatar float-left mr-2'>" + option.text().charAt(0) + "</span> <span 
class='shared-user'>" +
-          option.text() + " <span class='text-muted'>" + option.data("subtext") + "</span></span>" +
-          "<span class='text-primary float-right shared-user cursor-pointer' 
onclick='removeSharedUser(this)'><i class='fas fa-times'></i></span>"
-
-        listItem.innerHTML = spanItem
+        let spanItemAvatar = document.createElement("span"),
+            spanItemName = document.createElement("span"),
+            spanItemUser = document.createElement("span");
+        spanItemAvatar.setAttribute('class', 'avatar float-left mr-2');
+        spanItemAvatar.innerText = option.text().charAt(0);
+        spanItemName.setAttribute('class', 'shared-user');
+        spanItemName.innerText = option.text();
+        spanItemUser.setAttribute('class', 'text-muted');
+        spanItemUser.innerText = option.data('subtext');
+        spanItemName.append(spanItemUser);
+
+        listItem.innerHTML = "<span class='text-primary float-right shared-user cursor-pointer' 
onclick='removeSharedUser(this)'><i class='fas fa-times'></i></span>"
+        listItem.prepend(spanItemName);
+        listItem.prepend(spanItemAvatar);
 
         $("#user-list").append(listItem)
       }
@@ -134,7 +143,7 @@ $(document).on('turbolinks:load', function(){
 
     $("#presentation-upload").change(function(data) {
       var file = data.target.files[0]
-      
+
       // Check file type and size to make sure they aren't over the limit
       if (validFileUpload(file)) {
         $("#presentation-upload-label").text(file.name)
@@ -327,4 +336,4 @@ function checkIfAutoJoin() {
     $("#joiner-consent").click()
     $("#room-join").click()
   }
-}
\ No newline at end of file
+}