Fix: XSS in chat

front/src/WebRtc/DiscussionManager.ts

@@ -151,13 +151,20 @@ export class DiscussionManager {
         this.nbpParticipants.innerText = `PARTICIPANTS (${nb})`;
     }
 
-    private urlify(text: string) {
+    private escapeHtml(html: string): string {
+        const textReturn : HTMLSpanElement = document.createElement('span');
+        const text = document.createTextNode(html);
+        textReturn.innerText = text;
+        const p = document.createElement('p');
+        p.appendChild(text);
+        return p.innerHTML;
+    }
+    private urlify(text: string) : string {
         const urlRegex = /(https?:\/\/[^\s]+)/g;
+	text = this.escapeHtml(text);
         return text.replace(urlRegex, (url: string) => {
-            return '<a href="' + url + '" target="_blank">' + url + '</a>';
-        })
-        // or alternatively
-        // return text.replace(urlRegex, '<a href="$1">$1</a>')
+            return '<a href="' + url + '" target="_blank" style=":visited {color: white}">' + url + '</a>';
+        });
     }
 
     public addMessage(name: string, message: string, isMe: boolean = false) {
@@ -231,4 +238,4 @@ export class DiscussionManager {
     }
 }
 
-export const discussionManager = new DiscussionManager();
+export const discussionManager = new DiscussionManager();