sanitize display name and markdown codeblock.

client/src/components/markdown.ts

@@ -90,7 +90,7 @@ const rules: MarkdownRules = {
       }
     },
     html(node, output, state) {
-      return htmlTag('pre', htmlTag('code', node.content, state), {}, state)
+      return htmlTag('pre', htmlTag('code', md.sanitizeText(node.content), {}, state), {}, state)
     },
   },
   blockQuote: {

client/src/store/user.ts

@@ -2,6 +2,7 @@ import { getterTree, mutationTree, actionTree } from 'typed-vuex'
 import { Member } from '~/neko/types'
 import { EVENT } from '~/neko/events'
 
+import md from 'simple-markdown'
 import { accessor } from '~/store'
 
 export const namespaced = true
@@ -40,6 +41,7 @@ export const mutations = mutationTree(state, {
       data[member.id] = {
         connected: true,
         ...member,
+        displayname: md.sanitizeText(member.displayname),
       }
     }
     state.members = data
@@ -48,16 +50,12 @@ export const mutations = mutationTree(state, {
     state.id = id
   },
   addMember(state, member: Member) {
-    // remove html tags
-    const tmp = document.createElement('div')
-    tmp.innerHTML = member.displayname
-    member.displayname = tmp.textContent || tmp.innerText || ''
-
     state.members = {
       ...state.members,
       [member.id]: {
         connected: true,
         ...member,
+        displayname: md.sanitizeText(member.displayname),
       },
     }
   },

docs/changelog.md

@@ -12,6 +12,7 @@
 ### Misc
 - ARM-based images not bound to Raspberry Pi only.
 - Add japanese characters support.
+- Sanitize display name and markdown codeblock input to prevent xss.
 
 ## [n.eko v2.4](https://github.com/m1k1o/neko/releases/tag/v2.4)