Skip to content

Security Fix for Stored-XSS on "HiChat" - huntr.dev #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
huntr-helper wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Security Fix for Stored-XSS on "HiChat" - huntr.dev #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
8675395
stored xss fix
d3m0n-r00t Sep 4, 2020
018e1b8
update fix
d3m0n-r00t Sep 4, 2020
b090e74
emoji fix
d3m0n-r00t Sep 4, 2020
62356bd
emoji fix
d3m0n-r00t Sep 4, 2020
be707a9
cleaner fix
d3m0n-r00t Sep 5, 2020
ca59c81
beautify fix
d3m0n-r00t Sep 8, 2020
03c7970
Merge pull request #1 from d3m0n-r00t/master
JamieSlome Sep 10, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,13 @@
"version": "0.4.0",
"main": "server.js",
"dependencies": {
"dompurify": "^2.0.15",
"express": "3.4.x",
"socket.io": "0.9.x"
"sanitize-html": "^1.27.4",
"socket.io": "^1.0.6"
},
"engines": {
"node": "0.10.x",
"npm": "1.2.x"
}
}
}
13 changes: 7 additions & 6 deletions server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ var express = require('express'),
app = express(),
server = require('http').createServer(app),
io = require('socket.io').listen(server),
sanitizehtml = require('./www/scripts/sanitizehtml.js')
users = [];
//specify the html we will use
app.use('/', express.static(__dirname + '/www'));
Expand All @@ -18,26 +19,26 @@ io.sockets.on('connection', function(socket) {
socket.emit('nickExisted');
} else {
//socket.userIndex = users.length;
socket.nickname = nickname;
users.push(nickname);
socket.nickname = sanitizehtml(nickname);
users.push(sanitizehtml(nickname));
socket.emit('loginSuccess');
io.sockets.emit('system', nickname, users.length, 'login');
io.sockets.emit('system', sanitizehtml(nickname), users.length, 'login');
};
});
//user leaves
socket.on('disconnect', function() {
if (socket.nickname != null) {
//users.splice(socket.userIndex, 1);
users.splice(users.indexOf(socket.nickname), 1);
socket.broadcast.emit('system', socket.nickname, users.length, 'logout');
socket.broadcast.emit('system', sanitizehtml(socket.nickname), users.length, 'logout');
}
});
//new message get
socket.on('postMsg', function(msg, color) {
socket.broadcast.emit('newMsg', socket.nickname, msg, color);
socket.broadcast.emit('newMsg', sanitizehtml(socket.nickname), sanitizehtml(msg), color);
});
//new image get
socket.on('img', function(imgData, color) {
socket.broadcast.emit('newImg', socket.nickname, imgData, color);
socket.broadcast.emit('newImg', sanitizehtml(socket.nickname), sanitizehtml(imgData), color);
});
});
2 changes: 2 additions & 0 deletions www/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,8 @@ <h1>HiChat :)</h1>
</footer>
<script src="/socket.io/socket.io.js"></script>
<script src="scripts/hichat.js"></script>
<script src="scripts/sanitizehtml.js"></script>
<script src="scripts/purify.js"></script>
<script>
/**REMOVE ME IF YOU CANT ACCESS GOOGLE SERVICE**/
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
Expand Down
17 changes: 11 additions & 6 deletions www/scripts/hichat.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ HiChat.prototype = {
document.getElementById('info').textContent = '!nickname is taken, choose another pls';
});
this.socket.on('loginSuccess', function() {
document.title = 'hichat | ' + document.getElementById('nicknameInput').value;
document.title = 'hichat | ' + sanitizeHtml(document.getElementById('nicknameInput').value);
document.getElementById('loginWrapper').style.display = 'none';
document.getElementById('messageInput').focus();
});
Expand All @@ -48,7 +48,7 @@ HiChat.prototype = {
that._displayImage(user, img, color);
});
document.getElementById('loginBtn').addEventListener('click', function() {
var nickName = document.getElementById('nicknameInput').value;
var nickName = sanitizeHtml(document.getElementById('nicknameInput').value);
if (nickName.trim().length != 0) {
that.socket.emit('login', nickName);
} else {
Expand All @@ -57,15 +57,15 @@ HiChat.prototype = {
}, false);
document.getElementById('nicknameInput').addEventListener('keyup', function(e) {
if (e.keyCode == 13) {
var nickName = document.getElementById('nicknameInput').value;
var nickName = sanitizeHtml(document.getElementById('nicknameInput').value);
if (nickName.trim().length != 0) {
that.socket.emit('login', nickName);
};
};
}, false);
document.getElementById('sendBtn').addEventListener('click', function() {
var messageInput = document.getElementById('messageInput'),
msg = messageInput.value,
msg = sanitizeHtml(messageInput.value),
color = document.getElementById('colorStyle').value;
messageInput.value = '';
messageInput.focus();
Expand All @@ -77,7 +77,7 @@ HiChat.prototype = {
}, false);
document.getElementById('messageInput').addEventListener('keyup', function(e) {
var messageInput = document.getElementById('messageInput'),
msg = messageInput.value,
msg = sanitizeHtml(messageInput.value),
color = document.getElementById('colorStyle').value;
if (e.keyCode == 13 && msg.trim().length != 0) {
messageInput.value = '';
Expand Down Expand Up @@ -123,7 +123,7 @@ HiChat.prototype = {
if (target.nodeName.toLowerCase() == 'img') {
var messageInput = document.getElementById('messageInput');
messageInput.focus();
messageInput.value = messageInput.value + '[emoji:' + target.title + ']';
messageInput.value = sanitizeHtml(messageInput.value) + '[emoji:' + target.title + ']';
};
}, false);
},
Expand All @@ -139,6 +139,8 @@ HiChat.prototype = {
emojiContainer.appendChild(docFragment);
},
_displayNewMsg: function(user, msg, color) {
msg = DOMPurify.sanitize(msg, {SAFE_FOR_JQUERY: true});
user = DOMPurify.sanitize(user, {SAFE_FOR_JQUERY: true});
var container = document.getElementById('historyMsg'),
msgToDisplay = document.createElement('p'),
date = new Date().toTimeString().substr(0, 8),
Expand All @@ -150,6 +152,8 @@ HiChat.prototype = {
container.scrollTop = container.scrollHeight;
},
_displayImage: function(user, imgData, color) {
imgData = DOMPurify.sanitize(imgData, {SAFE_FOR_JQUERY: true});
user = DOMPurify.sanitize(user, {SAFE_FOR_JQUERY: true});
var container = document.getElementById('historyMsg'),
msgToDisplay = document.createElement('p'),
date = new Date().toTimeString().substr(0, 8);
Expand All @@ -159,6 +163,7 @@ HiChat.prototype = {
container.scrollTop = container.scrollHeight;
},
_showEmoji: function(msg) {
msg = DOMPurify.sanitize(msg, {SAFE_FOR_JQUERY: true});
var match, result = msg,
reg = /\[emoji:\d+\]/g,
emojiIndex,
Expand Down
Loading