Fix XSS by parsing player counts as raw data and validating favicon URIs (#116)

* Fix XSS by parsing player counts as raw data (instead of parsing it)

* Ensure the returned favicon is a data URI

* Force server favicon size to 64px

* Increase specificity of data URI validation

The previous commit would happily accept any domain (or subdomain) that started with "data"

lib/ping.js

@@ -11,15 +11,22 @@ function pingMinecraftPC(host, port, timeout, callback, version) {
 	    if (err) {
 	        callback(err, null);
 	    } else {
-	    	// Remap our JSON into our custom structure.
+			// Remap our JSON into our custom structure.
+			var favicon;
+
+			// Ensure the returned favicon is a data URI
+			if (res.favicon.indexOf('data:image/') === 0) {
+				favicon = res.favicon;
+			}
+
 	        callback(null, {
 				players: {
-					online: res.players.online,
-					max: res.players.max
+					online: parseInt(res.players.online),
+					max: parseInt(res.players.max)
 				},
-				version: res.version.protocol,
+				version: parseInt(res.version.protocol),
 				latency: util.getCurrentTimeMs() - startTime,
-				favicon: res.favicon
+				favicon
 			});
 	    }
 	}, timeout, version);