1 files changed, 18 insertions, 9 deletions

diff --git a/app.js b/app.js
index 0323323..a26f158 100644
--- a/app.js
+++ b/app.js
@@ -15,6 +15,7 @@ app.use('/client', express.static(__dirname + '/client'));
 serv.listen(2000);
 console.log("Server started.");
 var SOCKET_LIST = {};
+const servermsg = "Server: ";
 
 const Entity = require('./server/Entities/Entity')
 const Player = require('./server/Entities/Player')
@@ -95,12 +96,11 @@ io.sockets.on('connection', function(socket){
     socket.on('sendMsgToServer', function(data){
         if (data)
             for (var i in SOCKET_LIST){
-                SOCKET_LIST[i].emit('addToChat', {ctimestamp: getTimeStamp(0), content: socket.playerName + ': ' + data, tab: "world"});
+                SOCKET_LIST[i].emit('addToChat', {ctimestamp: getTimeStamp(0), content: socket.playerName + ': ' + escapeHTML(data), tab: "world"});
             }
     });
 
     socket.on('command', function(data){
-        servermsg = "Server: ";
         modifyer = data[0];
         command = data.slice(1).split(' ');
 
@@ -114,16 +114,17 @@ io.sockets.on('connection', function(socket){
                         case "bc":
                             res = joinArgs(command, 1, 0);
                             for (var i in SOCKET_LIST){
-                                SOCKET_LIST[i].emit('addToChat', {ctimestamp: getTimeStamp(0), content: "<font color='red' weight='bold'>GlobalAnnounce: " + res + "</font>", tab: "world"});
+                                SOCKET_LIST[i].emit('addToChat', {ctimestamp: getTimeStamp(0), content: "<font color='red' weight='bold'>GlobalAnnounce: " + escapeHTML(res) + "</font>", tab: "world"});
                             }
                             break;
 
                         // @who (args: none)
                         case "who":
+                            res = servermsg;
                             for (var i in Player.Player.list){
-                                servermsg+=Player.Player.list[i].playerName + ", ";
+                                res+=Player.Player.list[i].playerName + ", ";
                             }
-                            socket.emit('addToChat', {ctimestamp: getTimeStamp(0), content: servermsg, tab:"any"});
+                            socket.emit('addToChat', {ctimestamp: getTimeStamp(0), content: res, tab:"any"});
                             break;
 
                         // @where (args:[playername])
@@ -223,8 +224,8 @@ io.sockets.on('connection', function(socket){
                     
                     for (var i in Player.Player.list){
                         if (Player.Player.list[i].playerName == command[1]){
-                            res = joinArgs(command, 2, 0);
-                            socket.emit('addToChat', {ctimestamp: getTimeStamp(0), content: socket.playerName + " : " + res, tab: Player.Player.list[i].playerName});
+                            res = escapeHTML(joinArgs(command, 2, 0));
+                            socket.emit('addToChat', {ctimestamp: getTimeStamp(0), content: socket.playerName + ": " + res, tab: Player.Player.list[i].playerName});
                             SOCKET_LIST[Player.Player.list[i].id].emit('addToChat', {ctimestamp: getTimeStamp(0), content: socket.playerName + ": " + res, tab: socket.playerName});
                             found = true;
                             break;
@@ -258,7 +259,6 @@ io.sockets.on('connection', function(socket){
     });
 
     socket.on('evalServer', function(data){
-        servermsg = "Server: ";
         hasPermission(socket.playerName, 80, function(res){
             if (res)
                 socket.emit('evalAnswer', eval(data));
@@ -319,4 +319,13 @@ addLeadingZero = function(n){
     if (n <= 9)
         return "0"+n;
     return n;
-}
\ No newline at end of file
+}
+
+escapeHTML = function(unsafe) {
+    return unsafe
+         .replace(/&/g, "&amp;")
+         .replace(/</g, "&lt;")
+         .replace(/>/g, "&gt;")
+         .replace(/"/g, "&quot;")
+         .replace(/'/g, "&#039;");
+ }
\ No newline at end of file