Skip to content

Commit 5c911dd

Browse files
committed
Sanitize fullName parameter of join API. Fixes #10818
1 parent cafe1a5 commit 5c911dd

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

Diff for: bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy

+2
Original file line numberDiff line numberDiff line change
@@ -245,6 +245,8 @@ class ApiController {
245245
// Do we have a name for the user joining? If none, complain.
246246
if (!StringUtils.isEmpty(params.fullName)) {
247247
params.fullName = StringUtils.strip(params.fullName);
248+
// remove control characters ( sanitize )
249+
params.fullName = params.fullName.replaceAll("\\p{Cntrl}", "");
248250
if (StringUtils.isEmpty(params.fullName)) {
249251
errors.missingParamError("fullName");
250252
}

0 commit comments

Comments
 (0)