Code
The spec for the meetingID
“Meeting IDs should only contain upper/lower ASCII letters, numbers, dashes, or underscores.”
The controller allows more characters than this that can potentially cause issues or vulnerability . The demo page uses ' Like "Fred's Meeting"
In looking at XSS prevention.
Here are the 2 calls for create and join.
results of create <meeting> <returncode>SUCCESS</returncode> <meetingName><script>alert("123");</script></meetingName> <meetingID><script>alert("123");</script></meetingID> <createTime>1437506462649</createTime> <createDate>Tue Jul 21 15:21:02 EDT 2015</createDate> <voiceBridge>72166</voiceBridge> <dialNumber>613-555-1234</dialNumber> <running>true</running> <duration>0</duration> .....
Not an issue with flash client, not sure about html5 client or integration pages that try to display this.
meeting name and welcome need to allow more options for localization and passing html links, not sure what can be done to remove scripts.
Larger implementations may choose to handle this thru load balancing logic.
Comment #1
Posted on Jul 24, 2015 by Massive LionWe'll look into applying these changes.
We might have to change the accepted characters in meeting ids, because some integrations are not compatible with the listed spec.
Either way, the API calls should be returning the meetingName and meetingID parameters in an XML-encoded form that can be safely interpreted, like:
<script>alert("123");</script>
I wonder why that's not the case already, we might be using XML creation functions incorrectly...
Comment #2
Posted on Jul 24, 2015 by Massive Lion(No comment was entered for this change.)
Status: Accepted
Labels:
Type-Defect
Priority-Medium
Milestone-Release1.0.0