feat(security): enhance input validation and security measures across various routes

server/config/bbb.js

@@ -5,6 +5,20 @@ import { log, fmtDuration, fmtStatus, fmtMethod, fmtReturncode, sanitizeBBBParam
 const BBB_URL = process.env.BBB_URL || 'https://your-bbb-server.com/bigbluebutton/api/';
 const BBB_SECRET = process.env.BBB_SECRET || '';
 
+if (!BBB_SECRET) {
+  log.bbb.warn('WARNING: BBB_SECRET is not set. BBB API calls will use an empty secret.');
+}
+
+// HTML-escape for safe embedding in BBB welcome messages
+function escapeHtml(str) {
+  return String(str)
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
 function getChecksum(apiCall, params) {
   const queryString = new URLSearchParams(params).toString();
   const raw = apiCall + queryString + BBB_SECRET;
@@ -63,13 +77,13 @@ export async function createMeeting(room, logoutURL, loginURL = null, presentati
   const { moderatorPW, attendeePW } = getRoomPasswords(room.uid);
 
   // Build welcome message with guest invite link
-  let welcome = room.welcome_message || t('defaultWelcome');
+  // HTML-escape user-controlled content to prevent stored XSS via BBB
+  let welcome = room.welcome_message ? escapeHtml(room.welcome_message) : t('defaultWelcome');
   if (logoutURL) {
     const guestLink = `${logoutURL}/join/${room.uid}`;
-    welcome += `<br><br>To invite other participants, share this link:<br><a href="${guestLink}">${guestLink}</a>`;
-    if (room.access_code) {
-      welcome += `<br>Access Code: <b>${room.access_code}</b>`;
-    }
+    welcome += `<br><br>To invite other participants, share this link:<br><a href="${escapeHtml(guestLink)}">${escapeHtml(guestLink)}</a>`;
+    // Access code is intentionally NOT shown in the welcome message to prevent
+    // leaking it to all meeting participants.
   }
 
   const params = {