The simplechat from d0nd3r3k

simplechat's Introduction

simpleChat

Install & run

git clone [email protected]:DonaldDerek/SimpleChat.git && cd SimpleChat && npm install

node index.js

License

The MIT License (MIT)

^{Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:}

^{The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.}

^{THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.}

simplechat's People

Contributors

Stargazers

Watchers

simplechat's Issues

No input sanitisation

Hey Donald,

As part of a University led project I am looking for an open source project with a security issue.
The project entails that once a security issue has been found, we develop a patch and inform the developer(s).

We have found that within your chat application that there is no sanitation performed on the users input before it is emitted for other users to view. This vulnerability can be exploited in a variety of ways such as leveraging the injection of HTML, CSS and JavaScript into other clients’ browsers to perform XSS.

The solution is very simple - you simply need to sanitise the users input before emitting it back into the system for others to view.

We want to add the following sanitise function into the top of the chat.js file (or somewhere more suitable if you prefer):

function sanitise(str) { return String(str).replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"'); }

Once this has been added, we want to edit the sendButton.onclick function to include this sanitation.
Simply wrap field.value and name.value with the sanitation function when emitting.

socket.emit('send', { message: sanitise(field.value), username: sanitise(name.value) });

That should then resolve the issue.

I have attached an amended chat.js for your convenience

chat.zip

Thanks!

Recommend Projects

d0nd3r3k / simplechat Goto Github PK

simplechat's Introduction

simpleChat

Install & run

License

simplechat's People

Contributors

Stargazers

Watchers

Forkers

simplechat's Issues

No input sanitisation

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent