Enhance security and validation across multiple routes:

- Escape XML and HTML special characters to prevent injection attacks.
- Implement rate limiting for various endpoints to mitigate abuse.
- Add validation for email formats, password lengths, and field limits.
- Ensure proper access control for recordings and room management.

server/config/bbb.js

@@ -81,10 +81,16 @@ export async function createMeeting(room, logoutURL, loginURL = null, presentati
     params.lockSettingsLockOnJoin = 'true';
   }
 
-  // Build optional presentation XML body
-  const xmlBody = presentationUrl
-    ? `<modules><module name="presentation"><document url="${presentationUrl}" /></module></modules>`
-    : null;
+  // Build optional presentation XML body – escape URL to prevent XML injection
+  let xmlBody = null;
+  if (presentationUrl) {
+    const safeUrl = presentationUrl
+      .replace(/&/g, '&amp;')
+      .replace(/"/g, '&quot;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;');
+    xmlBody = `<modules><module name="presentation"><document url="${safeUrl}" /></module></modules>`;
+  }
 
   return apiCall('create', params, xmlBody);
 }
@@ -132,6 +138,17 @@ export async function getRecordings(meetingID) {
   return Array.isArray(recordings) ? recordings : [recordings];
 }
 
+export async function getRecordingByRecordId(recordID) {
+  const result = await apiCall('getRecordings', { recordID });
+  if (result.returncode !== 'SUCCESS' || !result.recordings) {
+    return null;
+  }
+  const recordings = result.recordings.recording;
+  if (!recordings) return null;
+  const arr = Array.isArray(recordings) ? recordings : [recordings];
+  return arr[0] || null;
+}
+
 export async function deleteRecording(recordID) {
   return apiCall('deleteRecordings', { recordID });
 }