Spaces in bearer token isn't properly sanitized when loading on web

[wolfcomp]

When putting a token into the web browser, all spaces are converted over to %20 while what is received from OBS doesn't contain this sanitization. This causes a flow break when trying to load the stream, as you aren't allowed to send non-sanitized spaces in a web browser.

[wolfcomp]

If I'm looking at the code correctly, there is no protection against setting protected HTTP characters in the request and should be added to this line of code https://github.com/Glimesh/broadcast-box/blob/main/main.go#L81 this should include both characters needing https://datatracker.ietf.org/doc/html/rfc3986#section-2.1 and the following characters https://datatracker.ietf.org/doc/html/rfc3986#section-2.2 on a blacklist

[Sean-Der]

Thanks for digging on this @wolfcomp!

Do you have the time to add URL sanitizers to WHIP+WHEP requests?

[wolfcomp]

I don't know the functions in the go language, so I won't be of help there. I can however compile a regex string for all the characters. Blacklist pattern: [:/#@!$&',;=% \*\+\(\)\?\[\]] Whitelist pattern: [A-Za-z0-9_~\-\.]

[dilllxd]

I attempted a fix, not sure if it's the best way of doing it but it did work when tested locally. Hopefully it should help in the end though :)