fix xss in webui from SAM session name

libi2pd_client/SAM.cpp

@@ -296,6 +296,19 @@ namespace client
 		}
 	}
 
+	static bool IsAcceptableSessionName(const std::string & str)
+	{
+		auto itr = str.begin();
+		while(itr != str.end())
+		{
+			char ch = *itr;
+			++itr;
+			if (ch == '<' || ch == '>' || ch == '"' || ch == '\'' || ch == '/')
+				return false;
+		}
+		return true;
+	}
+
 	void SAMSocket::ProcessSessionCreate (char * buf, size_t len)
 	{
 		LogPrint (eLogDebug, "SAM: session create: ", buf);
@@ -304,6 +317,13 @@ namespace client
 		std::string& style = params[SAM_PARAM_STYLE];
 		std::string& id = params[SAM_PARAM_ID];
 		std::string& destination = params[SAM_PARAM_DESTINATION];
+
+		if(!IsAcceptableSessionName(id))
+		{
+			// invalid session id
+			SendMessageReply (SAM_SESSION_CREATE_INVALID_ID, strlen(SAM_SESSION_CREATE_INVALID_ID), true);
+			return;
+		}
 		m_ID = id;
 		if (m_Owner.FindSession (id))
 		{

libi2pd_client/SAM.h

@@ -28,6 +28,7 @@ namespace client
 	const char SAM_SESSION_CREATE_REPLY_OK[] = "SESSION STATUS RESULT=OK DESTINATION=%s\n";
 	const char SAM_SESSION_CREATE_DUPLICATED_ID[] = "SESSION STATUS RESULT=DUPLICATED_ID\n";
 	const char SAM_SESSION_CREATE_DUPLICATED_DEST[] = "SESSION STATUS RESULT=DUPLICATED_DEST\n";
+	const char SAM_SESSION_CREATE_INVALID_ID[] = "SESSION STATUS RESULT=INVALID_ID\n";
 	const char SAM_SESSION_STATUS_INVALID_KEY[] = "SESSION STATUS RESULT=INVALID_KEY\n";
 	const char SAM_SESSION_STATUS_I2P_ERROR[] = "SESSION STATUS RESULT=I2P_ERROR MESSAGE=%s\n";
 	const char SAM_STREAM_CONNECT[] = "STREAM CONNECT";