fix XSS in tab list

Author: michaljaz

src/scripts/additional/tools.js

@@ -0,0 +1,13 @@
+const antiXSS = (str) => {
+  const replacements = [
+    [/&/g, '&'],
+    [/</g, '&lt;'],
+    [/>/g, '&gt;'],
+    [/"/g, '&quot;']
+  ]
+  for (const replacement of replacements) {
+  	str = str.replace(replacement[0], replacement[1])
+  }
+  return str
+}
+export { antiXSS }

src/scripts/gui/TabList.js

@@ -1,5 +1,5 @@
 import $ from 'jquery'
-
+import { antiXSS } from './../additional/tools.js'
 class TabList {
   constructor (game) {
     this.game = game
@@ -10,7 +10,7 @@ class TabList {
     let newHTML = ''
     if (players !== undefined && JSON.stringify(players) !== '{}') {
       for (const i in players) {
-        newHTML += `<div class="tab_player clearfix"><span class="float-left">${i}</span><span class="float-right">${players[i].ping}ms</span></div>`
+        newHTML += `<div class="tab_player clearfix"><span class="float-left">${antiXSS(i)}</span><span class="float-right">${players[i].ping}ms</span></div>`
       }
       if (newHTML !== this.lastHTML) {
         this.lastHTML = newHTML

src/scripts/proxy/Proxy.worker.js

@@ -1,6 +1,7 @@
 /* eslint-env worker */
 import vec3 from 'vec3'
 import Convert from 'ansi-to-html'
+import { antiXSS } from './../additional/tools.js'
 const convert = new Convert()
 
 global.window = self
@@ -60,16 +61,7 @@ addEventListener('message', function (e) {
         emit('kicked', reason)
       })
       bot.on('message', function (msg) {
-        let message = msg.toAnsi()
-
-        const replacements = [
-          [/&/g, '&'],
-          [/</g, '&lt;'],
-          [/>/g, '&gt;'],
-          [/"/g, '&quot;']
-        ]
-        for (const replacement of replacements) { message = message.replace(replacement[0], replacement[1]) }
-
+        const message = antiXSS(msg.toAnsi())
         emit('msg', convert.toHtml(message))
       })
       bot.on('death', () => {