One thing to test with this before merging is that URLs containing & still get link-ified correctly.

Uh, good point. I just tried and they still work.

In fact, I think your PR fixes another (hypothetical) problem. Before your PR, https://example.org?foo=1&bar=1 incorrectly linked to https://example.org?foo=1&bar=1 (this is probably true for all html entities). With your PR, this problem no longer occurs.

Hmm. Escaping server sided isn‘t really a secure way to fix the issue in my opinion. A quick fix, yes. But not the final way to solve the original problem.

Escaping server sided isn‘t really a secure way to fix the issue in my opinion. A quick fix, yes. But not the final way to solve the original problem.

I assume you are suggesting to handle it on the target client instead?
I agree it would be better, but this would either require stopping server-side message formatting (i.e. prefixing the user name) or it would require transferring the individual parts of the message (user, text) to the client seperately. The latter would probably equal some (possibly incompatible) change in the protocol, which is probably not desired. :)

Which remaining security issues do you see after merging this PR? "Just" the general UDP-related spoofing things?

I assume you are suggesting to handle it on the target client instead?

Yes. Exactly. Send e.g. json to the client, validate that and then display the message.

Which remaining security issues do you see after merging this PR? "Just" the general UDP-related spoofing things?

That's also an issue. I could also imagine that somebody sets a welcome message with "maliscious" html which we do not escape.

Send e.g. json to the client, validate that and then display the message.

Agreed, but as far as I can see this would require a protocol change/extension. If we were to do that, I guess it would make sense to combine it with some other possible improvements in that area.

I could also imagine that somebody sets a welcome message with "maliscious" html which we do not escape.

Agreed, but I think we will always have to trust the server to a specific level. Clients should not have to trust the server as much as that it could run arbitrary code or something, but regarding the content I think there is nothing one could do. An attempt at comparing it with some other area: Facebook could always impersonate anyone on their platform because they have the required access. No need for any formatting hacks, cross site scripting or anything. They (or here: the Jamulus server) could just change the content.
So, I think we have to live with this part. I would vote for simply trusting Welcome messages as they can only be changed by server operators. Server operators are always in a position to cause denial of service (just stop the server) or do impersonation (run a modified Jamulus server code or something).

I am more concerned that by now a valid use case for allowing (some) HTML has been mentioned by @passing in #890 (comment). I don't know yet how to keep such things still working.

I am more concerned that by now a valid use case for allowing (some) HTML has been mentioned by @passing in #890 (comment). I don't know yet how to keep such things still working.

@hoffie
a different way could be a possibility to send multi-line messages that are monospaced. So maybe some button to switch from the "default mode" (single line, proportional font) to "tab mode" (multiline, monospaced). With that, a converter that creates html would also no longer be needed.

OK, can we summarise:

1. This does prevent any client of any version - when connected to a server with this fix - using CSS (and, indeed, wider) spoofing in chat
2. This does not address protocol level attacks of a client

Protection from 2 is not, in my view, the scope of this ticket and shouldn't block adoption of the a solution for a known issue.

BTW: is this already documented in the ChangeLog?

BTW: is this already documented in the ChangeLog?

It appears not. Historically, who added items to the ChangeLog? The contributor of a change, or Volker?

EDIT: Looking at the history for ChangeLog, it appears Volker did so himself. If we need contributors to add their own entries, we need to document this in the contribution guidelines.

If we need contributors to add their own entries, we need to document this in the contribution guidelines.

Agree. Probably the contributing file must be updated too.

Just merged it and documented it in the changelog.