Added a character limit and removal of special characters to combat X…

…SS attacks.

git-svn-id: https://plugins.svn.wordpress.org/tinychat-roomspy/trunk@1138083 b8457f37-d9ea-0310-8a92-e5e31aec5664

readme.txt

@@ -5,7 +5,7 @@ Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_i
 Tags: tinychat-roomspy, tinychat, chat, room spy, wordpress chat, buddypress chat, wordpress video chat, buddypress video chat
 Requires at least: 3.6.0
 Tested up to: 4.1.1
-Stable tag: 1.2.8
+Stable tag: 1.2.9
 License: GPLv3
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
 

room-spy.php

@@ -7,14 +7,14 @@
 * Description: Allows you to check who is in a TinyChat room and who is on Video/Audio.
 * Requires at least: WordPress 3.6.0, BuddyPress 1.8.1
 * Tested up to: WordPress 4.1.1 / BuddyPress 2.2.2.1
-* Version: 1.2.8
+* Version: 1.2.9
 * License: GPLv3
 * License URI: http://www.gnu.org/licenses/gpl-3.0.html
-* Date: 14th April 2015
+* Date: 18th April 2015
 */
 // Turn off all error reporting
 error_reporting(0);
-define('COMPARE_VERSION', '1.2.7');
+define('COMPARE_VERSION', '1.2.8');
 register_activation_hook(__FILE__, 'room_spy_install');
 function room_spy_install() {
 
@@ -62,6 +62,8 @@ function wp_show_room_spy() {
 if (($room === 'Room')){}
 	elseif(preg_match("/^[a-z0-9]{3,}/", $_POST['room'])){
 	$room = preg_replace('/[^a-z0-9]/s', '',$room);
+	$room=(strlen($room) > 32) ? substr($room,0,32).'' : $room;
+	$room=htmlspecialchars($room,ENT_QUOTES, 'UTF-8');
 	$data = file_get_contents('http://api.tinychat.com/'.$room.'.xml');
 	$rooms = new SimpleXMLElement($data,libxml_use_internal_errors(true));
 	$array = json_decode(json_encode((array)simplexml_load_string($xml)),1);}?>