fix: sanitize room playlist - By Berno

.gitignore

@@ -1,5 +1,4 @@
 logging/
-compiled-builds/
 *.iml
 .idea/
 target/**
@@ -10,7 +9,6 @@ src/test/
 target/
 config.ini
 *.txt
-*.jar
 *.log
 *.zip
 .DS_Store

Plugins/Javascript-Plugin/pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.skeletor</groupId>
     <artifactId>Javascript-Plugin</artifactId>
-    <version>1.0-SNAPSHOT</version>
+    <version>1.1-SNAPSHOT</version>
     <build>
         <plugins>
             <plugin>
@@ -24,8 +24,16 @@
         <dependency>
             <groupId>com.eu.habbo</groupId>
             <artifactId>Habbo</artifactId>
-            <version>3.0.0</version>
+            <version>3.5.1</version>
         </dependency>
+
+        <dependency>
+            <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
+            <artifactId>owasp-java-html-sanitizer</artifactId>
+            <version>20240325.1</version>
+            <scope>compile</scope>
+        </dependency>
+
     </dependencies>
 
 </project>

Plugins/Javascript-Plugin/src/main/java/com/skeletor/plugin/javascript/audio/RoomPlaylist.java

@@ -5,6 +5,8 @@ import com.eu.habbo.messages.outgoing.generic.alerts.BubbleAlertComposer;
 import gnu.trove.map.hash.THashMap;
 import java.util.ArrayList;
 
+import static com.skeletor.plugin.javascript.utils.RegexUtility.sanitize;
+
 public class RoomPlaylist {
   private ArrayList<YoutubeVideo> playlist = new ArrayList<>();
   
@@ -41,14 +43,15 @@ public class RoomPlaylist {
 
   public YoutubeVideo removeSong(int index) {
     YoutubeVideo res = null;
-    if (this.playlist.size() - 1 >= index)
+    if(playlist.size() - 1 >= index)
       res = this.playlist.remove(index);
-    if (this.playlist.size() == 0)
-      setPlaying(false); 
-    if (index == getCurrentIndex()) {
-      if (index > this.playlist.size() - 1 && this.playlist.size() > 0)
+    if(playlist.isEmpty()) this.setPlaying(false);
+    if(index == this.getCurrentIndex()) {
+      if(index > this.playlist.size() - 1 && !this.playlist.isEmpty()) {
         this.current = this.playlist.size() - 1;
-    } else if (index < getCurrentIndex() && getCurrentIndex() > 0) {
+      }
+    }
+    else if(index < this.getCurrentIndex() && this.getCurrentIndex() > 0) {
       this.current--;
     }
     return res;
@@ -81,10 +84,10 @@ public class RoomPlaylist {
   }
 
   public MessageComposer getNowPlayingBubbleAlert() {
-    THashMap<String, String> keys = new THashMap();
+    final THashMap<String, String> keys = new THashMap<>();
     keys.put("display", "BUBBLE");
-    keys.put("image", "${image.library.url}notifications/music.png");
-    keys.put("message", "Now playing " + (getCurrentSong()).name);
-    return (MessageComposer)new BubbleAlertComposer("", keys);
+    keys.put("image", ("${image.library.url}notifications/music.png"));
+    keys.put("message", "Now playing " + sanitize(this.getCurrentSong().name));
+    return new BubbleAlertComposer("", keys);
   }
 }

Plugins/Javascript-Plugin/src/main/java/com/skeletor/plugin/javascript/utils/RegexUtility.java

@@ -1,15 +1,30 @@
 package com.skeletor.plugin.javascript.utils;
-
+import org.owasp.html.HtmlPolicyBuilder;
+import org.owasp.html.PolicyFactory;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 public class RegexUtility {
-  public static String getYouTubeId(String youTubeUrl) {
+
+  public static String getYouTubeId (String youTubeUrl) {
     String pattern = "(?<=youtu.be/|watch\\?v=|/videos/|embed\\/)[^#\\&\\?]*";
     Pattern compiledPattern = Pattern.compile(pattern);
     Matcher matcher = compiledPattern.matcher(youTubeUrl);
-    if (matcher.find())
+    if(matcher.find()){
       return matcher.group();
-    return "";
+    } else {
+      return "";
+    }
+  }
+
+  /**
+   * Sanitizes a string by removing any potentially harmful HTML elements.
+   *
+   * @param str The string to be sanitized.
+   * @return The sanitized string.
+   */
+  public static String sanitize(String str) {
+    PolicyFactory policy = new HtmlPolicyBuilder().toFactory();
+    return policy.sanitize(str);
   }
 }