Merge branch 'fix/chat-xss-vulnerability' of https://github.com/Alok-2005/sugarizer into pr/1939

Lionel Laské · Lionel Laské · commit 3155ff7dbd5b · 2026-02-04T21:32:23.000+01:00
diff --git a/js/modules/user.js b/js/modules/user.js
@@ -59,6 +59,13 @@ define([], function() {
 		return settings && settings.sharedJournal ? settings.sharedJournal : null;
 	}
 
+	// Validate username - returns true if valid, false if contains HTML characters
+	let validateName = function(name) {
+		// Check for HTML special characters that could enable XSS
+		const htmlChars = /[<>&"']/;
+		return !htmlChars.test(name);
+	}
+
 	// Check if user exists
 	user.checkIfExists = function(baseurl, name) {
 		return new Promise((resolve, reject) => {
@@ -89,6 +96,10 @@ define([], function() {
 
 	// Signup user
 	user.signup = async function(baseurl, name, password, color) {
+		// Validate username - reject if contains HTML characters
+		if (!validateName(name)) {
+			throw new Error("Invalid username: contains forbidden characters");
+		}
 		const signupData = {
 			"name": `${name}`,
 			"password": `${password}`,
@@ -187,6 +198,11 @@ define([], function() {
 	// Update user information
 	user.update = function(data, dataLocal = null) {
 		return new Promise((resolve, reject) => {
+			// Validate username if being updated - reject if contains HTML characters
+			if (data.name && !validateName(data.name)) {
+				reject(new Error("Invalid username: contains forbidden characters"));
+				return;
+			}
 			// update the user locally
 			sugarizer.modules.settings.setUser(dataLocal ? dataLocal : data);
 
diff --git a/js/screens/loginscreen.js b/js/screens/loginscreen.js
@@ -371,6 +371,11 @@ const LoginScreen = {
 					this.login(this.details.serverAddress, this.details.name, this.details.password);
 				}, (error) => {
 					console.log(error);
+					if (error.message && error.message.includes("Invalid username")) {
+						this.warning.show = true;
+						this.warning.text = this.$t("InvalidName");
+						this.isLoading = false;
+					}
 				});
 			}
 
diff --git a/js/screens/settings-aboutme.js b/js/screens/settings-aboutme.js
@@ -186,6 +186,11 @@ const AboutMe = {
 				)
 				.then(() => {
 					sugarizer.reload();
+				}, (error) => {
+					if (error.message && error.message.includes("Invalid username")) {
+						this.warning.show = true;
+						this.warning.text = this.$t("InvalidName");
+					}
 				});
 		},
 
diff --git a/locales/en.json b/locales/en.json
@@ -136,6 +136,7 @@
 	"ChoosePassword": "Choose at least {{min}} images:",
 	"UserLoginInvalid": "Invalid user name or images",
 	"UserAlreadyExist": "User already exist",
+	"InvalidName": "Invalid name",
 	"ServerError": "Server error code {{code}}",
 	"ServerNotSet": "Your server is not set",
 	"AndroidSettings": "Android Settings",
